Law

You are currently browsing the archive for the Law category.

If the GDPR did what it promised to do, we’d be celebrating Privmas today. Because, two years after the GDPR became enforceable, privacy would now be the norm rather than the exception in the online world.

That hasn’t happened, but it’s not just because the GDPR is poorly enforced.  It’s because it’s too easy for every damn site on the Web—and every damn business with an Internet connection—to claim compliance to the letter of GDPR while violating its spirit.

Want to see how easy? Try searching for GDPR+compliance+consent:

https://www.google.com/search?q=gdpr+compliance+consent

Nearly all of the ~21,000,000 results you’ll get are from sources pitching ways to continue tracking people online, mostly by obtaining “consent” to privacy violations that almost nobody would welcome in the offline world—exactly the kind of icky practice that the GDPR was meant to stop.

Imagine if every shop you passed on the street sent someone outside to painlessly jab a needle into your neck, and then injecting a load of tracking beacons into your bloodstream. Would you be okay with that?

Well, that’s what you’re saying when you click “Accept” or “Got it” when a typical GDPR-complying website presents a cookie notice that says something like this:

That notice is from Vice, by the way. Here’s how the top story on Vice’s front page looks in Belgium (though a VPN), with Privacy Badger looking for trackers:

What’s typical here is that a publication, with no sense of irony, runs a story about privacy-violating harvesting of personal data… while doing the same.

Yes, Google says you’re anonymized somehow in both DoubleClick and Google Analytics, but it’s you they are stalking. (Look up stalk as a verb. Top result: “to pursue or approach prey, quarry, etc., stealthily.” That’s what’s going on.)

Get this: There is also no way for you to know exactly how you are being tracked or what is done with information gathered about you, because the instrument for that—a tool on your side—isn’t available. It probably hasn’t even been invented. You also have no record of agreeing to anything. It’s not even clear that the site or its third parties have a record of that. All you’ve got is a cookie planted deep in your browser’s bowels, designed to announce itself to other parties everywhere you go on the Web. In sum, consenting to a cookie notice leaves nothing resembling an audit trail.

So let’s go back to a simple privacy principle here: It is just as wrong to track a person like a marked animal in the online world as it is in the offline one.

The GDPR was made to thwart that kind of thing. On the whole it has not. Instead, it has made the experience of being tracked online a worse one.

True, that was not the intent. And yes, the GDPR has done some good. But if you are any less followed online today than you were when the GDPR became enforceable two years ago, it’s because you and the browser makers have worked to thwart at least some of it. You’ve done that by blocking ads that require tracking; and you’ve both done it by blocking tracking itself.

But tracking is still worse than rampant: it’s defaulted practice for both advertising and site analytics. And it will remain so until we have code, laws and enforcement which together stop it.

So, nothing to celebrate. Not this Privmas.

Tags: ,

Here’s the popover that greets visitors on arrival at Rolling Stone‘s website:

Our Privacy Policy has been revised as of January 1, 2020. This policy outlines how we use your information. By using our site and products, you are agreeing to the policy.

That policy is supplied by Rolling Stone’s parent (PMC) and weighs more than 10,000 words. In it the word “advertising” appears 68 times. Adjectives modifying it include “targeted,” “personalized,” “tailored,” “cookie-based,” “behavioral” and “interest-based.” All of that is made possible by, among other things—

Information we collect automatically:

Device information and identifiers such as IP address; browser type and language; operating system; platform type; device type; software and hardware attributes; and unique device, advertising, and app identifiers

Internet network and device activity data such as information about files you download, domain names, landing pages, browsing activity, content or ads viewed and clicked, dates and times of access, pages viewed, forms you complete or partially complete, search terms, uploads or downloads, the URL that referred you to our Services, the web sites you visit after this web site; if you share our content to social media platforms; and other web usage activity and data logged by our web servers, whether you open an email and your interaction with email content, access times, error logs, and other similar information. See “Cookies and Other Tracking Technologies” below for more information about how we collect and use this information.

Geolocation information such as city, state and ZIP code associated with your IP address or derived through Wi-Fi triangulation; and precise geolocation information from GPS-based functionality on your mobile devices, with your permission in accordance with your mobile device settings.

The “How We Use the Information We Collect” section says they will—

Personalize your experience to Provide the Services, for example to:

  • Customize certain features of the Services,
  • Deliver relevant content and to provide you with an enhanced experience based on your activities and interests
  • Send you personalized newsletters, surveys, and information about products, services and promotions offered by us, our partners, and other organizations with which we work
  • Customize the advertising on the Services based on your activities and interests
  • Create and update inferences about you and audience segments that can be used for targeted advertising and marketing on the Services, third party services and platforms, and mobile apps
  • Create profiles about you, including adding and combining information we obtain from third parties, which may be used for analytics, marketing, and advertising
  • Conduct cross-device tracking by using information such as IP addresses and unique mobile device identifiers to identify the same unique users across multiple browsers or devices (such as smartphones or tablets, in order to save your preferences across devices and analyze usage of the Service.
  • using inferences about your preferences and interests for any and all of the above purposes

For a look at what Rolling Stone, PMC and their third parties are up to, Privacy Badger’s browser extension “found 73 potential trackers on www.rollingstone.com:

tagan.adlightning.com
 acdn.adnxs.com
 ib.adnxs.com
 cdn.adsafeprotected.com
 static.adsafeprotected.com
 d.agkn.com
 js.agkn.com
 c.amazon-adsystem.com
 z-na.amazon-adsystem.com
 display.apester.com
 events.apester.com
 static.apester.com
 as-sec.casalemedia.com
 ping.chartbeat.net
 static.chartbeat.com
 quantcast.mgr.consensu.org
 script.crazyegg.com
 dc8xl0ndzn2cb.cloudfront.net
cdn.digitru.st
 ad.doubleclick.net
 securepubads.g.doubleclick.net
 hbint.emxdgt.com
 connect.facebook.net
 adservice.google.com
 pagead2.googlesyndication.com
 www.googletagmanager.com
 www.gstatic.com
 static.hotjar.com
 imasdk.googleapis.com
 js-sec.indexww.com
 load.instinctiveads.com
 ssl.p.jwpcdn.com
 content.jwplatform.com
 ping-meta-prd.jwpltx.com
 prd.jwpltx.com
 assets-jpcust.jwpsrv.com
 g.jwpsrv.com
pixel.keywee.co
 beacon.krxd.net
 cdn.krxd.net
 consumer.krxd.net
 www.lightboxcdn.com
 widgets.outbrain.com
 cdn.permutive.com
 assets.pinterest.com
 openbid.pubmatic.com
 secure.quantserve.com
 cdn.roiq.ranker.com
 eus.rubiconproject.com
 fastlane.rubiconproject.com
 s3.amazonaws.com
 sb.scorecardresearch.com
 p.skimresources.com
 r.skimresources.com
 s.skimresources.com
 t.skimresources.com
launcher.spot.im
recirculation.spot.im
 js.spotx.tv
 search.spotxchange.com
 sync.search.spotxchange.com
 cc.swiftype.com
 s.swiftypecdn.com
 jwplayer.eb.tremorhub.com
 pbs.twimg.com
 cdn.syndication.twimg.com
 platform.twitter.com
 syndication.twitter.com
 mrb.upapi.net
 pixel.wp.com
 stats.wp.com
 www.youtube.com
 s.ytimg.com

This kind of shit is why we have the EU’s GDPR (General Data Protection Regulation) and California’s CCPA (California Consumer Privacy Act). (No, it’s not just because Google and Facebook.) If publishers and the adtech industry (those third parties) hadn’t turned the commercial Web into a target-rich environment for suckage by data vampires, we’d never have had either law. (In fact, both laws are still new: the GDPR went into effect in May 2018 and the CCPA a few days ago.)

I’m in California, where the CCPA gives me the right to shake down the vampiretariat for all the information about me they’re harvesting, sharing, selling or giving away to or through those third parties.* But apparently Rolling Stone and PMC don’t care about that.

Others do, and I’ll visit some of those in later posts. Meanwhile I’ll let Rolling Stone and PMC stand as examples of bad acting by publishers that remains rampant, unstopped and almost entirely unpunished, even under these new laws.

I also suggest following and getting involved with the fight against the plague of data vampirism in the publishing world. These will help:

  1. Reading Don Marti’s blog, where he shares expert analysis and advice on the CCPA and related matters. Also People vs. Adtech, a compilation of my own writings on the topic, going back to 2008.
  2. Following what the browser makers are doing with tracking protection (alas, differently†). Shortcuts: Brave, Google’s Chrome, Ghostery’s Cliqz, Microsoft’s Edge, Epic, Mozilla’s Firefox.
  3. Following or joining communities working to introduce safe forms of nourishment for publishers and better habits for advertisers and their agencies. Those include Customer CommonsMe2B AllianceMyData Global and ProjectVRM.

______________

*The bill (AB 375), begins,

The California Constitution grants a right of privacy. Existing law provides for the confidentiality of personal information in various contexts and requires a business or person that suffers a breach of security of computerized data that includes personal information, as defined, to disclose that breach, as specified.

This bill would enact the California Consumer Privacy Act of 2018. Beginning January 1, 2020, the bill would grant a consumer a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of 3rd parties with which the information is shared. The bill would require a business to make disclosures about the information and the purposes for which it is used. The bill would grant a consumer the right to request deletion of personal information and would require the business to delete upon receipt of a verified request, as specified. The bill would grant a consumer a right to request that a business that sells the consumer’s personal information, or discloses it for a business purpose, disclose the categories of information that it collects and categories of information and the identity of 3rd parties to which the information was sold or disclosed…

Don Marti has a draft letter one might submit to the brokers and advertisers who use all that personal data. (He also tweets a caution here.)

†This will be the subject of my next post.

We know more than we can tell.

That one-liner from Michael Polanyi has been waiting half a century for a proper controversy, which it now has with facial recognition. Here’s how he explains it in The Tacit Dimension:

This fact seems obvious enough; but it is not easy to say exactly what it means. Take an example. We know a person’s face, and can recognize it among a thousand others, indeed among a million. Yet we usually cannot tell how we recognize a face we know. So most of this knowledge cannot be put into words.

Polanyi calls that kind of knowledge tacit. The kind we can put into words he calls explicit.

For an example of both at work, consider how, generally, we  don’t know how we will end the sentences we begin, or how we began the sentences we are ending—and how the same is true of what we hear or read from other people whose sentences we find meaningful. The explicit survives only as fragments, but the meaning of what was said persists in tacit form.

Likewise, if we are asked to recall and repeat, verbatim, a paragraph of words we have just said or heard, we will find it difficult or impossible to do so, even if we have no trouble saying exactly what was meant. This is because tacit knowing, whether kept to one’s self or told to others, survives the natural human tendency to forget particulars after a few seconds, even when we very clearly understand what we have just said or heard.

Tacit knowledge and short term memory are both features of human knowing and communication, not bugs. Even for people with extreme gifts of memorization (e.g. actors who can learn a whole script in one pass, or mathematicians who can learn pi to 4000 decimals), what matters more than the words or the numbers are their meaning. And that meaning is both more and other than what can be said. It is deeply tacit.

On the other hand—the digital hand—computer knowledge is only explicit, meaning a computer can know only what it can tell. At both knowing and telling, a computer can be far more complete and detailed than a human could ever be. And the more a computer knows, the better it can tell. (To be clear, a computer doesn’t know a damn thing. But it does remember—meaning it retrieves—what’s in its databases, and it does process what it retrieves. At all those activities it is inhumanly capable.)

So, the more a computer learns of explicit facial details, the better it can infer conclusions about that face, including ethnicity, age, emotion, wellness (or lack of it) and much else. Given a base of data about individual faces, and of names associated with those faces, a computer programmed to be adept at facial recognition can also connect faces to names, and say “This is (whomever).”

For all those reasons, computers doing facial recognition are proving useful for countless purposes: unlocking phones, finding missing persons and criminals, aiding investigations, shortening queues at passport portals, reducing fraud (for example at casinos), confirming age (saying somebody is too old or not old enough), finding lost pets (which also have faces). The list is long and getting longer.

Yet many (or perhaps all) of those purposes are at odds with the sense of personal privacy that derives from the tacit ways we know faces, our reliance on short term memory, and our natural anonymity (literally, namelessness) among strangers. All of those are graces of civilized life in the physical world, and they are threatened by the increasingly widespread use—and uses—of facial recognition by governments, businesses, schools and each other.

Louis Brandeis and Samuel Warren visited the same problem more than a century ago, when they became alarmed at the implications of recording and reporting technologies that were far more primitive than the kind we have today. In response to those technologies, they wrote a landmark Harvard Law Review paper titled The Right to Privacy, which has served as a pole star of good sense ever since. Here’s an excerpt:

Recent inventions and business methods call attention to the next step which must be taken for the protection of the person, and for securing to the individual what Judge Cooley calls the right “to be let alone” 10 Instantaneous photographs and newspaper enterprise have invaded the sacred precincts of private and domestic life ; and numerous mechanical devices threaten to make good the prediction that “what is whispered in the closet shall be proclaimed from the house-tops.” For years there has been a feeling that the law must afford some remedy for the unauthorized circulation of portraits of private persons ;11 and the evil of invasion of privacy by the newspapers, long keenly felt, has been but recently discussed by an able writer.12 The alleged facts of a somewhat notorious case brought before an inferior tribunal in New York a few months ago, 13 directly involved the consideration of the right of circulating portraits ; and the question whether our law will recognize and protect the right to privacy in this and in other respects must soon come before out courts for consideration.

They also say the “right of the individual to be let alone…is like the right not be assaulted or beaten, the right not be imprisoned, the right not to be maliciously prosecuted, the right not to be defamed.”

To that list today we might also add, “the right not to be reduced to bits” or “the right not to be tracked like an animal.”

But it’s hard to argue for those rights in the digital world, where computers can see, hear, draw and paint exact portraits of everything: every photo we take, every word we write, every spreadsheet we assemble, every database accumulating in our hard drives—plus those of every institution we interact with, and countless ones we don’t (or do without knowing the interaction is there).

Facial recognition by computers is a genie that is not going back in the bottle. And there is no limit to wishes the facial recognition genie can grant the organizations that want to use it, which is why pretty much everything is being done with it. A few examples:

  • Facebook’s Deep Face sells facial recognition for many purposes to corporate customers. Examples from that link: “Face Detection & Landmarks…Facial Analysis & Attributes…Facial Expressions & Emotion… Verification, Similarity & Search.” This is non-trivial stuff. Writes Ben Goertzel, “Facebook has now pretty convincingly solved face recognition, via a simple convolutional neural net, dramatically scaled.”
  • FaceApp can make a face look older, younger, whatever. It can even swap genders.
  • The FBI’s Next Generation Identification (NGI), involves (says Wikipedia) eleven companies and the National Center for State Courts (NCSC).
  • Snap has a patent for reading emotions in faces.
  • The MORIS™ Multi-Biometric Identification System is “a portable handheld device and identification database system that can scan, recognize and identify individuals based on iris, facial and fingerprint recognition,” and is typically used law enforcement organizations.
  • Casinos in Canada are using facial recognition to “help addicts bar themselves from gaming facilities.” It’s opt-in: “The technology relies on a method of “self-exclusion,” whereby compulsive gamblers volunteer in advance to have their photos banked in the system’s database, in case they ever get the urge to try their luck at a casino again. If that person returns in the future and the facial-recognition software detects them, security will be dispatched to ask the gambler to leave.”
  • Cruise ships are boarding passengers faster using facial recognition by computers.
  • Australia proposes scanning faces to see if viewers are old enough to look at porn.

And facial recognition systems are getting better and better at what they do. A November 2018 NIST report on a massive study of facial recognition systems begins,

This report documents performance of face recognition algorithms submitted for evaluation on image datasets maintained at NIST. The algorithms implement one-to-many identification of faces appearing in two-dimensional images.

The primary dataset is comprised of 26.6 million reasonably well-controlled live portrait photos of 12.3 million individuals. Three smaller datasets containing more unconstrained photos are also used: 3.2 million webcam images; 2.5 million photojournalism and amateur photographer photos; and 90 thousand faces cropped from surveillance-style video clips. The report will be useful for comparison of face recognition algorithms, and assessment of absolute capability. The report details recognition accuracy for 127 algorithms from 45 developers, associating performance with participant names. The algorithms are prototypes, submitted in February and June 2018 by research and development laboratories of commercial face recognition suppliers and one university…

The major result of the evaluation is that massive gains in accuracy have been achieved in the last five years (2013-2018) and these far exceed improvements made in the prior period (2010-2013). While the industry gains are broad — at least 28 developers’ algorithms now outperform the most accurate algorithm from late 2013 — there remains a wide range of capabilities. With good quality portrait photos, the most accurate algorithms will find matching entries, when present, in galleries containing 12 million individuals, with error rates below 0.2%

Privacy freaks (me included) would like everyone to be creeped out by this. Yet many people are cool with it to some degree, and perhaps not just because they’re acquiescing to the inevitable.

For example, in Barcelona, CaixaBank is rolling out facial recognition at its ATMs, claiming that 70% of surveyed customers are ready to use it as an alternative to keying in a PIN, and that “66% of respondents highlighted the sense of security that comes with facial recognition.” That the bank’s facial recognition system “has the capability of capturing up to 16,000 definable points when the user’s face is presented at the screen” is presumably of little or no concern. Nor, also presumably, is the risk of  what might get done with facial data if the bank gets hacked, or changes its privacy policy, or if it gets sold and the new owner can’t resist selling or sharing facial data with others who want it, or if government bodies require it.

A predictable pattern for every new technology is that what can be done will be done—until we see how it goes wrong and try to stop doing that. This has been true of every technology from stone tools to nuclear power and beyond. Unlike many other new technologies, however, it is not hard to imagine ways facial recognition by computers can go wrong, especially when it already has.

Two examples:

  1. In June, U.S. Customs and Border Protection, which relies on facial recognition and other biometrics, revealed that photos of people were compromised by a cyberattack on a federal subcontractor.
  2. In August, researchers at vpnMentor reported a massive data leak in BioStar 2, a widely used “Web-based biometric security smart lock platform” that uses facial recognition and fingerprinting technology to identify users, was compromised. Notes the report, “Once stolen, fingerprint and facial recognition information cannot be retrieved. An individual will potentially be affected for the rest of their lives.” vpnMentor also had a hard time getting thrugh to company officials, so they could fix the leak.

As organizations should know (but in many cases have trouble learning), the highest risks of data exposure and damage are to—

  • the largest data sets,
  • the most complex organizations and relationships, and
  • the largest variety of existing and imaginable ways that security can be breached

And let’s not discount the scary potentials at the (not very) far ends of technological progress and bad intent. Killer microdrones targeted at faces, anyone?

So it is not surprising that some large companies doing facial recognition go out of their way to keep personal data out of their systems. For example, by making facial recognition work for the company’s customers, but not for the company itself.

Such is the case with Apple’s late model iPhones, which feature FaceID: a personal facial recognition system that lets a person unlock their phone with a glance. Says Apple, “Face ID data doesn’t leave your device and is never backed up to iCloud or anywhere else.”

But special cases such as that one haven’t stopped push-back against all facial recognition. Some examples—

  • The Public Voice: “We the undersigned call for a moratorium on the use of facial recognition technology that enables mass surveillance.”
  • Fight for the Future: BanFacialRecognition. Self-explanatory, and with lots of organizational signatories.
  • New York Times: “San Francisco, long at the heart of the technology revolution, took a stand against potential abuse on Tuesday by banning the use of facial recognition software by the police and other agencies. The action, which came in an 8-to-1 vote by the Board of Supervisors, makes San Francisco the first major American city to block a tool that many police forces are turning to in the search for both small-time criminal suspects and perpetrators of mass carnage.”
  • Also in the Times, Evan Sellinger and Woodrow Hartzhog write, “Stopping this technology from being procured — and its attendant databases from being created — is necessary for protecting civil rights and privacy. But limiting government procurement won’t be enough. We must ban facial recognition in both public and private sectors, before we grow so dependent on it that we accept its inevitable harms as necessary for “progress.” Perhaps over time appropriate policies can be enacted that justify lifting a ban. But we doubt it.”
  • Cory Doctorow‘s Why we should ban facial recognition technology everywhere is an “amen” to the Selinger & Hartzhog piece.
  • BanFacialRecognition.com lists 37 participating organizations, including EPIC (Electronic Privacy Information Center), Daily Kos, Fight for the Future, MoveOn.org, National Lawyers Guild, Greenpeace and Tor.
  • MIT Technology Revew says bans are spreading in in the U.S.: San Francisco and Oakland, California, and Somerville, Massachusetts, have outlawed certain uses of facial recognition technology, with Portland, Oregon, potentially soon to follow. That’s just the beginning, according to Mutale Nkonde, a Harvard fellow and AI policy advisor. That trend will soon spread to states, and there will eventually be a federal ban on some uses of the technology, she said at MIT Technology Review’s EmTech conference.”

Irony alert: the black banner atop that last story says, “We use cookies to offer you a better browsing experience, analyze site traffic, personalize content, and serve targeted advertisements.” Notes the TimesCharlie Warzel, “Devoted readers of the Privacy Project will remember mobile advertising IDs as an easy way to de-anonymize extremely personal information, such as location data.” Well, advertising IDs are among the many trackers that both MIT Technology Review and The New York Times inject in readers’ browsers with every visit. (Bonus link.)

My own position on all this is provisional, because I’m still learning and there’s a lot to take in. But here goes:

The only entities that should be able to recognize people’s faces are other people. And maybe their pets. But not machines.

However, given the unlkelihood that the facial recognition genie will ever go back in its bottle, I’ll suggest a few rules for entities using computers to do facial recognition. All these are provisional as well:

  1. People should have their own forms of facial recognition, for example to unlock phones or to sort through old photos. But, the data they gather should not be shared with the company providing the facial recognition software (unless it’s just of their own face, and then only for the safest possible diagnostic or service improvement purposes).
  2. Facial recognition used to detect changing facial characteristics (such as emotions, age or wellness) should be required to forget what they see, right after the job is done, and not use the data gathered for any purpose other than diagnostics or performance improvement.
  3. For persons having their faces recognized, sharing data for diagnostic or performance improvement purposes should be opt-in, with data anonymized and made as auditable as possible, by individuals and/or their intermediaries.
  4. For enterprises with systems that know individuals’ (customers’ or consumers’) faces, don’t use those faces to track or find those individuals elsewhere in the online or offline worlds—again, unless those individuals have opted in to the practice.

I suspect that Polanyi would agree with those.

But my heart is with Walt Whitman, whose Song of Myself argued against the dehumanizing nature of mechanization at the dawn of the industrial age. Wrote Walt,

Encompass worlds but never try to encompass me.
I crowd your noisiest talk by looking toward you.

Writing and talk do not prove me.I carry the plenum of proof and everything else in my face.
With the hush of my lips I confound the topmost skeptic…

Do I contradict myself?
Very well then. I contradict myself.
I am large. I contain multitudes.

The spotted hawk swoops by and accuses me.
He complains of my gab and my loitering.

I too am not a bit tamed. I too am untranslatable.
I sound my barbaric yawp over the roofs of the world.

The barbaric yawps by human hawks say five words, very explicitly:

Get out of my face.

And they yawp those words in spite of the sad fact that obeying them may prove impossible.

[Later bonus links…]

 

I came up with that law in the last millennium and it applied until Chevy discontinued the Cavalier in 2005. Now it should say, “You’re going to get whatever they’ve got.”

The difference is that every car rental agency in days of yore tended to get their cars from a single car maker, and now they don’t. Back then, if an agency’s relationship was with General Motors, which most of them seemed to be, the lot would have more of GM’s worst car than of any other kind of car. Now the car you rent truly is whatever. In the last year we’ve rented at least one Kia, Hyundai, Chevy, Nissan, Volkswagen, Ford and Toyota, and that’s just off the top of my head. (By far the best was a Chevy Impala. I actually loved it. So, naturally, it’s being discontinued.)

All of that, of course, applies only in the U.S. I know less about car rental verities in Europe, since I haven’t rented a car there since (let’s see…) 2011.

Anyway, when I looked up doc searls chevy cavalier to find whatever I’d written about my felicitous Fourth Law, the results included this, from my blog in 2004…

Five years later, the train pulls into Madison Avenue

ADJUSTING TO THE REALITY OF A CONSUMER-CONTROLLED MARKET, by Scott Donathon in Advertising Age. An excerpt:

Larry Light, global chief marketing officer at McDonald’s, once again publicly declared the death of the broadcast-centric ad model: “Mass marketing today is a mass mistake.” McDonald’s used to spend two-thirds of its ad budget on network prime time; that figure is now down to less than one-third.

General Motors’ Roger Adams, noting the automaker’s experimentation with less-intrusive forms of marketing, said, “The consumer wants to be in control, and we want to put them in control.” Echoed Saatchi & Saatchi chief Kevin Roberts, “The consumer now has absolute power.”

“It is not your goddamn brand,” he told marketers.

This consumer empowerment is at the heart of everything. End users are now in control of how, whether and where they consume information and entertainment. Whatever they don’t want to interact with is gone. That upends the intrusive model the advertising business has been sustained by for decades.

This is still fucked, of course. Advertising is one thing. Customer relationships are another.

“Consumer empowerment” is an oxymoron. Try telling McDonalds you want a hamburger that doesn’t taste like a horse hoof. Or try telling General Motors that nobody other than rental car agencies wants to buy a Chevy Cavalier or a Chevy Classic; or that it’s time, after 60 years of making crap fixtures and upholstery, to put an extra ten bucks (or whatever it costs) into trunk rugs that don’t seem like the company works to make them look and feel like shit. Feel that “absolute power?” Or like you’re yelling at the pyramids?

Real demand-side empowerment will come when it’s possible for any customer to have a meaningful — and truly valued — conversation with people in actual power on the supply side. And those conversations turn into relationships. And those relationships guide the company.

I’ll believe it when I see it.

Meanwhile the decline of old-fashioned brand advertising on network TV (which now amounts to a smaller percentage of all TV in any case) sounds more to me like budget rationalization than meaningful change where it counts.

Thanks to Terry for the pointer.

Three things about that.

First, my original blog (which ran from 1999 to 2007) is still up, thanks to Jake Savin and Dave Winer, at http://weblog.searls.com. (Adjust your pointers. It’ll help Google and Bing forget the old address.)

Second, I’ve been told by rental car people that the big American car makers actually got tired of hurting their brands by making shitty cars and scraping them off on rental agencies. So now the agencies mostly populate their lots surplus cars that don’t make it to dealers for various reasons. They also let their cars pile up 50k miles or more before selling them off. Also, the quality of cars in general is much higher than it used to be, and the experience of operating them is much more uniform—meaning blah in nearly identical ways.

Third, I’ve changed my mind on brand advertising since I wrote that. Two reasons. One is that brand advertising sponsors the media it runs on, which is a valuable thing. The other is that brand advertising really does make a brand familiar, which is transcendently valuable to the brand itself. There is no way personalized and/or behavioral advertising can do the same. Perhaps as much as $2trillion has been spent on tracking-based digital advertising, and not one brand known to the world has been made by it.

And one more thing: since we don’t commute, and we don’t need a car most of the time, we now favor renting cars over owning them. Much simpler and much cheaper. And the cars we rent tend to be nicer than the used cars we’ve owned and mostly driven into the ground. You never know what you’re going to get, but generally they’re not bad, and not our problem if something goes wrong with one, which almost never happens.

 

Let’s start with Facebook’s Surveillance Machine, by Zeynep Tufekci in last Monday’s New York Times. Among other things (all correct), Zeynep explains that “Facebook makes money, in other words, by profiling us and then selling our attention to advertisers, political actors and others. These are Facebook’s true customers, whom it works hard to please.”

Irony Alert: the same is true for the Times, along with every other publication that lives off adtech: tracking-based advertising. These pubs don’t just open the kimonos of their readers. They bring readers’ bare digital necks to vampires ravenous for the blood of personal data, all for the purpose of aiming “interest-based” advertising at those same readers, wherever those readers’ eyeballs may appear—or reappear in the case of “retargeted” advertising.

With no control by readers (beyond tracking protection which relatively few know how to use, and for which there is no one approach, standard, experience or audit trail), and no blood valving by the publishers who bare those readers’ necks, who knows what the hell actually happens to the data?

Answer: nobody knows, because the whole adtech “ecosystem” is a four-dimensional shell game with hundreds of players

or, in the case of “martech,” thousands:

For one among many views of what’s going on, here’s a compressed screen shot of what Privacy Badger showed going on in my browser behind Zeynep’s op-ed in the Times:

[Added later…] @ehsanakhgari tweets pointage to WhoTracksMe’s page on the NYTimes, which shows this:

And here’s more irony: a screen shot of the home page of RedMorph, another privacy protection extension:

That quote is from Free Tools to Keep Those Creepy Online Ads From Watching You, by Brian X. Chen and Natasha Singer, and published on 17 February 2016 in the Times.

The same irony applies to countless other correct and important reportage on the Facebook/Cambridge Analytica mess by other writers and pubs. Take, for example, Cambridge Analytica, Facebook, and the Revelations of Open Secrets, by Sue Halpern in yesterday’s New Yorker. Here’s what RedMorph shows going on behind that piece:

Note that I have the data leak toward Facebook.net blocked by default.

Here’s a view through RedMorph’s controller pop-down:

And here’s what happens when I turn off “Block Trackers and Content”:

By the way, I want to make clear that Zeynep, Brian, Natasha and Sue are all innocents here, thanks both to the “Chinese wall” between the editorial and publishing functions of the Times, and the simple fact that the route any ad takes between advertiser and reader through any number of adtech intermediaries is akin to a ball falling through a pinball machine. Refresh your page while reading any of those pieces and you’ll see a different set of ads, no doubt aimed by automata guessing that you, personally, should be “impressed” by those ads. (They’ll count as “impressions” whether you are or not.)

Now…

What will happen when the Times, the New Yorker and other pubs own up to the simple fact that they are just as guilty as Facebook of leaking data about their readers to other parties, for—in many if not most cases—God knows what purposes besides “interest-based” advertising? And what happens when the EU comes down on them too? It’s game-on after 25 May, when the EU can start fining violators of the General Data Protection Regulation (GDPR). Key fact: the GDPR protects the data blood of what they call “EU data subjects” wherever those subjects’ necks are exposed in borderless digital world.

To explain more about how this works, here is the (lightly edited) text of a tweet thread posted this morning by @JohnnyRyan of PageFair:

Facebook left its API wide open, and had no control over personal data once those data left Facebook.

But there is a wider story coming: (thread…)

Every single big website in the world is leaking data in a similar way, through “RTB bid requests” for online behavioural advertising #adtech.

Every time an ad loads on a website, the site sends the visitor’s IP address (indicating physical location), the URL they are looking at, and details about their device, to hundreds -often thousands- of companies. Here is a graphic that shows the process.

The website does this to let these companies “bid” to show their ad to this visitor. Here is a video of how the system works. In Europe this accounts for about a quarter of publishers’ gross revenue.

Once these personal data leave the publisher, via “bid request”, the publisher has no control over what happens next. I repeat that: personal data are routinely sent, every time a page loads, to hundreds/thousands of companies, with no control over what happens to them.

This means that every person, and what they look at online, is routinely profiled by companies that receive these data from the websites they visit. Where possible, these data and combined with offline data. These profiles are built up in “DMPs”.

Many of these DMPs (data management platforms) are owned by data brokers. (Side note: The FTC’s 2014 report on data brokers is shocking. See https://www.ftc.gov/reports/data-brokers-call-transparency-accountability-report-federal-trade-commission-may-2014. There is no functional difference between an #adtech DMP and Cambridge Analytica.

—Terrell McSweeny, Julie Brill and EDPS

None of this will be legal under the #GDPR. (See one reason why at https://t.co/HXOQ5gb4dL). Publishers and brands need to take care to stop using personal data in the RTB system. Data connections to sites (and apps) have to be carefully controlled by publishers.

So far, #adtech’s trade body has been content to cover over this wholesale personal data leakage with meaningless gestures that purport to address the #GDPR (see my note on @IABEurope current actions here: https://t.co/FDKBjVxqBs). It is time for a more practical position.

And advertisers, who pay for all of this, must start to demand that safe, non-personal data take over in online RTB targeting. RTB works without personal data. Brands need to demand this to protect themselves – and all Internet users too. @dwheld @stephan_lo @BobLiodice

Websites need to control
1. which data they release in to the RTB system
2. whether ads render directly in visitors’ browsers (where DSPs JavaScript can drop trackers)
3. what 3rd parties get to be on their page
@jason_kint @epc_angela @vincentpeyregne @earljwilkinson 11/12

Lets work together to fix this. 12/12

Those last three recommendations are all good, but they also assume that websites, advertisers and their third party agents are the ones with the power to do something. Not readers.

But there’s lots readers will be able to do. More about that shortly. Meanwhile, publishers can get right with readers by dropping #adtech and going back to publishing the kind of high-value brand advertising they’ve run since forever in the physical world.

That advertising, as Bob Hoffman (@adcontrarian) and Don Marti (@dmarti) have been making clear for years, is actually worth a helluva lot more than adtech, because it delivers clear creative and economic signals and comes with no cognitive overhead (for example, wondering where the hell an ad comes from and what it’s doing right now).

As I explain here, “Real advertising wants to be in a publication because it values the publication’s journalism and readership” while “adtech wants to push ads at readers anywhere it can find them.”

Doing real advertising is the easiest fix in the world, but so far it’s nearly unthinkable for a tech industry that has been defaulted for more than twenty years to an asymmetric power relationship between readers and publishers called client-server. I’ve been told that client-server was chosen as the name for this relationship because “slave-master” didn’t sound so good; but I think the best way to visualize it is calf-cow:

As I put it at that link (way back in 2012), Client-server, by design, subordinates visitors to websites. It does this by putting nearly all responsibility on the server side, so visitors are just users or consumers, rather than participants with equal power and shared responsibility in a truly two-way relationship between equals.

It doesn’t have to be that way. Beneath the Web, the Net’s TCP/IP protocol—the gravity that holds us all together in cyberspace—remains no less peer-to-peer and end-to-end than it was in the first place. Meaning there is nothing about the Net that prevents each of us from having plenty of power on our own.

On the Net, we don’t need to be slaves, cattle or throbbing veins. We can be fully human. In legal terms, we can operate as first parties rather than second ones. In other words, the sites of the world can click “agree” to our terms, rather than the other way around.

Customer Commons is working on exactly those terms. The first publication to agree to readers terms is Linux Journal, where I am now editor-in-chief. The first of those terms is #P2B1(beta), says “Just show me ads not based on tracking me,” and is hashtagged #NoStalking.

In Help Us Cure Online Publishing of Its Addiction to Personal Data, I explain how this models the way advertising ought to be done: by the grace of readers, with no spying.

Obeying readers’ terms also carries no risk of violating privacy laws, because every pub will have contracts with its readers to do the right thing. This is totally do-able. Read that last link to see how.

As I say there, we need help. Linux Journal still has a small staff, and Customer Commons (a California-based 501(c)(3) nonprofit) so far consists of five board members. What it aims to be is a worldwide organization of customers, as well as the place where terms we proffer can live, much as Creative Commons is where personal copyright licenses live. (Customer Commons is modeled on Creative Commons. Hats off to the Berkman Klein Center for helping bring both into the world.)

I’m also hoping other publishers, once they realize that they are no less a part of the surveillance economy than Facebook and Cambridge Analytica, will help out too.

[Later…] Not long after this post went up I talked about these topics on the Gillmor Gang. Here’s the video, plus related links.

I think the best push-back I got there came from Esteban Kolsky, (@ekolsky) who (as I recall anyway) saw less than full moral equivalence between what Facebook and Cambridge Analytica did to screw with democracy and what the New York Times and other ad-supported pubs do by baring the necks of their readers to dozens of data vampires.

He’s right that they’re not equivalent, any more than apples and oranges are equivalent. The sins are different; but they are still sins, just as apples and oranges are still both fruit. Exposing readers to data vampires is simply wrong on its face, and we need to fix it. That it’s normative in the extreme is no excuse. Nor is the fact that it makes money. There are morally uncompromised ways to make money with advertising, and those are still available.

Another push-back is the claim by many adtech third parties that the personal data blood they suck is anonymized. While that may be so, correlation is still possible. See Study: Your anonymous web browsing isn’t as anonymous as you think, by Barry Levine (@xBarryLevine) in Martech Today, which cites De-anonymizing Web Browsing Data with Social Networks, a study by Jessica Su (@jessicatsu), Ansh Shukla (@__anshukla__) and Sharad Goel (@5harad)
of Stanford and Arvind Narayanan (@random_walker) of Princeton.

(Note: Facebook and Google follow logged-in users by name. They also account for most of the adtech business.)

One commenter below noted that this blog as well carries six trackers (most of which I block).. Here is how those look on Ghostery:

So let’s fix this thing.

[Later still…] Lots of comments in Hacker News as well.

[Later again (8 April 2018)…] About the comments below (60+ so far): the version of commenting used by this blog doesn’t support threading. If it did, my responses to comments would appear below each one. Alas, some not only appear out of sequence, but others don’t appear at all. I don’t know why, but I’m trying to find out. Meanwhile, apologies.

Power of the People is a great grabber of a headline, at least for me. But it’s a pitch for a report that requires filling out the form here on the right:

You see a lot of these: invitations to put one’s digital ass on mailing list, just to get a report that should have been public in the first place, but isn’t so personal data can be harvested and sold or given away to God knows who.

And you do more than just “agree to join” a mailing list. You are now what marketers call a “qualified lead” for countless other parties you’re sure to be hearing from.

And how can you be sure? Read the privacy policy,. This one (for Viantinc.com) begins,

If you choose to submit content to any public area of our websites or services, your content will be considered “public” and will be accessible by anyone, including us, and will not be subject to the privacy protections set forth in this Privacy Policy unless otherwise required by law. We encourage you to exercise caution when making decisions about what information you disclose in such public areas.

Is the form above one of those “public areas”? Of course. What wouldn’t be? And are they are not discouraging caution by requiring you to fill out all the personal data fields marked with a *? You betcha. See here:

III. How we use and share your information

A. To deliver services

In order to facilitate our delivery of advertising, analytics and other services, we may use and/or share the information we collect, including interest-based segments and user interest profiles containing demographic information, location information, gender, age, interest information and information about your computer, device, or group of devices, including your IP address, with our affiliates and third parties, such as our service providers, data processors, business partners and other third parties.

B. With third party clients and partners

Our online advertising services are used by advertisers, websites, applications and other companies providing online or internet connected advertising services. We may share information, including the information described in section III.A. above, with our clients and partners to enable them to deliver or facilitate the delivery of online advertising. We strive to ensure that these parties act in accordance with applicable law and industry standards, but we do not have control over these third parties. When you opt-out of our services, we stop sharing your interest-based data with these third parties. Click here for more information on opting out.

No need to bother opting out, by the way, because there’s this loophole too:

D. To complete a merger or sale of assets

If we sell all or part of our business or make a sale or transfer of our assets or are otherwise involved in a merger or transfer of all or a material part of our business, or participate in any other similar business combination (including, without limitation, in connection with any bankruptcy or similar proceeding), we may transfer all or part of our data to the party or parties involved in the transaction as part of that transaction. You acknowledge that such transfers may occur, and that we and any purchaser of our business or assets may continue to collect, use and disclose your information in compliance with this Privacy Policy.

Okay, let’s be fair: this is boilerplate. Every marketing company—hell, every company period—puts jive like this in their privacy policies.

And Viant isn’t one of marketing’s bad guys. Or at least that’s not how they see themselves. They do mean well, kinda, if you forget they see no alternative to tracking people.

If you want to see what’s in that report without leaking your ID info to the world, the short cut is New survey by people-based marketer Viant promotes marketing to identified users in @Martech_Today.

What you’ll see there is a company trying to be good to users in a world where those users have no more power than marketers give them. And giving marketers that ability is what Viant does.

Curious… will Viant’s business persist after the GDPR trains heavy ordnance on it?

See, the GDPR  forbids gathering personal data about an EU citizen without that person’s clear permission—no matter where that citizen goes in the digital world, meaning to any site or service anywhere. It arrives in full force, with fines of up to 4% of global revenues in the prior fiscal year, on 25 May of this year: about three months from now.

In case you’ve missed it, I’m not idle here.

To help give individuals fresh GDPR-fortified leverage, and to save the asses of companies like Viant (which probably has lawyers working overtime on GDPR compliance), I’m working with Customer Commons (on the board of which I serve) on terms individuals can proffer and companies can agree to, giving them a form of protection, and agreeable companies a path toward GDPR compliance. And companies should like to agree, because those terms will align everyone’s interests from the start.

I’m also working with Linux Journal (where I’ve recently been elevated to editor-in-chief) to make it one of the first publishers to agree to friendly terms its readers proffer. That’s why I posted Every User a Neo there. Other metaphors: turning everyone on the Net into an Archimedes, with levers to move the world, and turning the whole marketplace in to a Marvel-like universe where all of us are enhanced.

If you want to help with any of that, talk to me.

 

The original version of this ran as a comment under Francine Hardaway‘s Medium post titled Have we progressed at all in the last fifty years?

My short answer is “Yes, but not much, and not evenly.” This is my longer answer.


In your case and mine, it has taken the better part of a century to see how some revolutions take generations to play out. Not only won’t we live to see essential revolutions complete; our children and grandchildren may not either.

Take a topic not on your list: racial equality—or moving past race altogether as a Big Issue. To begin to achieve racial equality in the U.S., we fought the Civil War. The result was various degrees of liberation for the people who had been slaves or already freed in Union states; but apartheid of both the de jure and de facto kind persisted. Jim Crow laws and practices emerged, and in still live on in culture if not in law.

The civil rights movement in the Fifties and Sixties caused positive social, political and other changes. The Civil Rights Act of 1964 especially helped. But the murders of Martin Luther King Jr. and Robert F. Kennedy in 1968 put civil rights almost back where it was before its revolution started. I participated in civil rights activism in Greensboro, North Carolina at the time of both assassinations, and I can’t overstate how deep and defeating our despair felt after both events. And that feeling proved correct.

Small incremental improvements followed over the decades since, but no leaps forward like we had before those murders. (Even the election of Barack Obama failed to change a terribly durable status quo. Backlash against that election is at least partly responsible for Trump and the Republican Congress.)

We are still stuck with inequality for races, religions and so much else. Will we ever get over that? I think we will, inevitably; but only if our species survives.

One collateral victim of those assassinations in the Sixties was the near-end of non-violence as a strategy toward change. Martin Luther King Jr. used it very effectively, and kept the flame alive and well-proven until violence took him out. Martyred though he was, it was not to the cause of nonviolence or pacifism, both of which have been back-burnered for fifty years. We (in the largest sense that includes future generations) may never find out if non-violence can ever succeed—because violence is apparently too deeply ingrained as a human trait.

Back to tech.

I too was, and remain, a cyber-utopian. Or at least a cyber-optimist. But that’s because I see cyber—the digitization and networking of the world—as a fait accompli that offers at least as many opportunities for progress as it does for problems. As Clay Shirky says, a sure sign of a good technology is that one can easily imagine bad uses of it.

What I’m not writing at the moment are my thoughts about why some of those advantaged by power, even in small ways, abuse it so easily. I’m not writing it because I know whatever I say will be praised by some, rebuked by others, and either way will be reduced to simplicities that dismiss whatever subtle and complex points I am trying to make, or questions I am trying to ask. (Because my mind is neither sufficiently informed nor made up.) I also know that, within minutes for most of my piece’s readers, the points it makes will be gone like snow on the water, for such is the nature of writing on the vast sea of almost-nothing that “social” media comprises. And, as of today, all other media repose in the social ones.

Some perspective:

Compared to that, and its effects on the planet, all other concerns shrink to insignificance.

But, as The Onion said a few weeks after 9/11, A Shattered Nation Longs to Care About Stupid Bullshit Again.

Stupid bullshit is what the meteor of humanity hitting the planet cares most about. Always has. Wars have been fought over far less.

The only fully consequential question is how we end the Anthropocene. Or how it ends without us.

Tags:

Who Owns the Internet? — What Big Tech’s Monopoly Powers Mean for our Culture is Elizabeth Kolbert‘s review in The New Yorker of several books, one of which I’ve read: Jonathan Taplin’s Move Fast and Break Things—How Facebook, Google, and Amazon Cornered Culture and Undermined Democracy.

The main takeaway for me, to both Elizabeth’s piece and Jon’s book, is making clear that Google and Facebook are at the heart of today’s personal data extraction industry, and that this industry defines (as well as supports) much of our lives online.

Our data, and data about us, is the crude that Facebook and Google extract, refine and sell to advertisers. This by itself would not be a Bad Thing if it were done with our clearly expressed (rather than merely implied) permission, and if we had our own valves to control personal data flows with scale across all the companies we deal with, rather than countless different valves, many worthless, buried in the settings pages of the Web’s personal data extraction systems, as well as in all the extractive mobile apps of the world.

It’s natural to look for policy solutions to the problems Jon and others visit in the books Elizabeth reviews. And there are some good regulations around already. Most notably, the GDPR in Europe has energized countless developers (some listed here) to start providing tools individuals (no longer just “consumers” or “users”) can employ to control personal data flows into the world, and how that data might be used. Even if surveillance marketers find ways around the GDPR (which some will), advertisers themselves are starting to realize that tracking people like animals only fails outright, but that the human beings who constitute the actual marketplace have mounted the biggest boycott in world history against it.

But I also worry because I consider both Facebook and Google epiphenomenal. Large and all-powerful though they may be today, they are (like all tech companies, especially ones whose B2B customers and B2C consumers are different populations—commercial broadcasters, for example) shallow and temporary effects rather than deep and enduring causes.

I say this as an inveterate participant in Silicon Valley who can name many long-gone companies that once occupied Google’s and Facebook’s locations there—and I am sure many more will occupy the same spaces in a fullness of time that will surely include at least one Next Big Thing that obsolesces advertising as we know it today online. Such as, for example, discovering that we don’t need advertising at all.

Even the biggest personal data extraction companies are also not utilities on the scale or even the importance of power and water distribution (which we need to live), or the extraction industries behind either. Nor have these companies yet benefitted from the corrective influence of fully empowered individuals and societies: voices that can be heard directly, consciously and personally, rather than mere data flows observed by machines.

That direct influence will be far more helpful than anything they’re learning now just by following our shadows and sniffing our exhaust, mostly against our wishes. (To grok how little we like being spied on, read The Tradeoff Fallacy: How Marketers are Misrepresenting American Consumers and Opening Them Up to Exploiitation, a report by Joseph Turow, Michael Hennessy and Nora Draper of the Annenberg School for Communication at the University of Pennsylvania.)

Our influence will be most corrective when all personal data extraction companies become what lawyers call second parties. That’s when they agree to our terms as first partiesThese terms are in development today at Customer Commons, Kantara and elsewhere. They will prevail once they get deployed in our browsers and apps, and companies start agreeing (which they will in many cases because doing so gives them instant GDPR compliance, which is required by next May, with severe fines for noncompliance).

Meanwhile new government policies that see us only as passive victims will risk protecting yesterday from last Thursday with regulations that last decades or longer. So let’s hold off on that until we have terms of our own, start performing as first parties (on an Internet designed to support exactly that), and the GDPR takes full effect. (Not that more consumer-protecting federal regulation is going to happen in the U.S. anyway under the current administration: all the flow is in the other direction.)

By the way, I believe nobody “owns” the Internet, any more than anybody owns gravity or sunlight. For more on why, see Cluetrain’s New Clues, which David Weinberger and I put up 1.5 years ago.

Nobody is going to own podcasting.990_large By that I mean nobody is going to trap it in a silo. Apple tried, first with its podcasting feature in iTunes, and again with its Podcasts app. Others have tried as well. None of them have succeeded, or will ever succeed, for the same reason nobody has ever owned the human voice, or ever will. (Other, of course, than their own.)

Because podcasting is about the human voice. It’s humans talking to humans: voices to ears and voices to voices—because listeners can talk too. They can speak back. And forward. Lots of ways.

Podcasting is one way for markets to have conversations; but the podcast market itself can’t be bought or controlled, because it’s not a market. Or an “industry.” Instead, like the Web, email and other graces of open protocols on the open Internet, podcasting is all-the-way deep.

Deep like, say, language. And, like language, it’s NEA: Nobody owns it, Everybody can use it and Anybody can improve it. That means anybody and everybody can do wherever they want with it. It’s theirs—and nobody’s—for the taking.

This is one of the many conclusions (some of them provisional) I reached after two days at The Unplugged Soul: Conference on the Podcast at Columbia’s Tow Center for Digital Journalism, which I live-tweeted through Little Pork Chop and live-blogged through doc.blog at 1999.io.

Both of those are tools created by Dave Winer, alpha dad of blogging, podcasting and syndicating. Dave was half the guests on Friday evening’s opening panel. The other half was Christopher Lydon, whose own podcast, Radio Open Source, was born out of his creative partnership with Dave in the early chapters of podcasting’s Genesis, in 2003, when both were at Harvard’s Berkman (now Berkman Klein) Center.

One way you can tell nobody owns podcasting is that 1.5 decades have passed since 2003 and there are still no dominant or silo’d tools either for listening to podcasts or for making them.

On the listening side, there is no equivalent of, say, the browser. There are many very different ways to get podcasts, and all of them are wildly different as well. Remarkably (or perhaps not), the BigCo leaders aren’t leading. Instead they’re looking brain-dead.

The biggest example is Apple, which demonstrates its tin head through its confusing (and sales-pressure-intensive) iTunes app on computers and its Podcasts app, defaulted on the world’s billion iPhones. That app’s latest version is sadly and stupidly rigged to favor streaming from the cloud over playing already-downloaded podcasts, meaning you can no longer listen easily when you’re offline, such as when you’re on a plane. By making that change, Apple treated a feature of podcasting as a bug. Also dumb: a new UI element—a little set of vertical bars indicating audio activity—that seems to mean both live playing and downloading. Or perhaps neither. I almost don’t want to know at this point, since I have come to hate the app so much.

Other tools by smaller developers (e.g. Overcast) do retain the already-downloaded feature, but work in different ways from other tools. Which is cool to me, because that way no one player dominates.

On the production side there are also dozens of tools and services. As a wannabe podcaster (whose existing output is limited so far to three podcasts in twelve years), I have found none that make producing a podcast as easy as it is to write a blog or an email. (When that happens, watch out.)

So here’s a brief compilation of my gatherings, so far, in no order of importance, from the conference.

  • Podcasting needs an unconference like IIW (the next of which happens the first week of May in Silicon Valley): one devoted to conversation and forward movement of the whole field, and not to showcasing panels, keynotes or sponsoring vendors. One advantage of unconferences is that they’re all about what are side conversations at standard keynote-and-panel conferences. An example from my notes: Good side conversations. One is with Sovana Bailey McLain (@solartsnyc), whose podcast is also a radio show, State of the Arts. And she has a blog too. The station she’s on is WBAI, which has gone through (says Wikipedia) turmoil and change for many decades. An unconference will also foster something many people at the conference said they wanted: more ways to collaborate.
  • Now is a good time to start selling off over-the-air radio signals. Again from my notes… So I have an idea. It’s one WBAI won’t like, but it’s a good one: Sell the broadcast license, keep everything else. WBAI’s signal on 99.5fm is a commercial one, because it’s on the commercial part of the FM band. This NY Times report says an equivalent station (WQXR when it was on 96.3fm) was worth $45 million in 2009. I’m guessing that WBAI’s licence would bring about half that because listening is moving to Net-connected rectangles, and the competition is every other ‘cast in the world. Even the “station” convention is antique. On the Net there are streams and files:stuff that’s live and stuff that’s not. From everywhere. WBAI (or its parent, the Pacifica Foundation), should sell the license while the market is still there, and use the money to fund development and production of independent streams and podcasts, in many new ways.  Keep calling the convening tent WBAI, but operate outside the constraints of limited signal range and FCC rules.
  • Compared to #podcasting, the conventions of radio are extremely limiting. You don’t need a license to podcast. You aren’t left out of the finite number of radio channels and confined geographies. You aren’t constrained by FCC anti-“profanity” rules limiting freedom of speech—or any FCC rules at all. In other words, you can say what the fuck you please, however you want to say it. You’re free of the tyranny of the clock, of signposting, of the need for breaks, and other broadcast conventions. All that said, podcasting can, and does, improve radio as well. This was a great point made on stage by the @kitchensisters.
  • Podcasting conventionally copyrighted music is still impossible. On the plus side, there is no license-issuing or controlling entity to do a deal with the recording industry to allow music on podcasts, because there is nothing close to a podcasting monopoly. (Apple could probably make such a deal if it wanted to, but it hasn’t, and probably won’t.) On the minus side, you need to “clear rights” for every piece of music you play that isn’t “podsafe.” That includes nearly all the music you already know. But then, back on the plus side, this means podcasting is nearly all spoken word. In the past I thought this was a curse. Now I think it’s a grace.
  • Today’s podcasting conventions are provisional and temporary. A number of times during the conference I observed that the sound coming from the stage was one normalized by This American Life and its descendants. In consonance with that, somebody put up a slide of a tweet by @emilybell:podcast genres : 1. Men going on about things. 2. Whispery crime 3.Millennials talking over each other 4. Should be 20 minutes shorter. We can, and will, do better. And other.
  • Maybe podcasting is the best way we have to start working out our problems with race, gender, politics and bad habits of culture that make us unhappy and thwart progress of all kinds. I say that because 1) the best podcasting I know deals with these things directly and far more constructively than anything I have witnessed in other media, and 2) no bigfoot controls it.
  • Archiving is an issue. I don’t know what a “popup archive” is, but it got mentioned more than once.
  • Podcasting has no business model. It’s like the Internet, email and the Web that way. You make money because of it, not with it. If you want to. Since it can be so cheap to do (in terms of both time and money), you don’t have to make money at it if you don’t want to.

I’ll think of more as I go over more of my notes. Meanwhile, please also dig Dave’s take-aways from the same conference.

Ingeyes Google Has Quietly Dropped Ban on Personally Identifiable Web Tracking, @JuliaAngwin and @ProPublica unpack what the subhead says well already: “Google is the latest tech company to drop the longstanding wall between anonymous online ad tracking and user’s names.”

So here’s a message from humanity to Google and all the other spy organizations in the surveillance economy: Tracking is no less an invasion of privacy in apps and browsers than it is in homes, cars, purses, pants and wallets.

That’s because our apps and browsers, like the devices on which we use them, are personal and private. Simple as that. (HT to @Apple for digging that fact.)

To help the online advertising business understand what ought to be obvious (but isn’t yet), let’s clear up some misconceptions:

  1. Tracking people without their clear and conscious permission is wrong. (Meaning The Castle Doctrine should apply online no less than it does in the physical world.)
  2. Assuming that using a browser or an app constitutes some kind of “deal” to allow tracking is wrong. (Meaning implied consent is not the real thing. See The Tradeoff Fallacy: How Marketers Are Misrepresenting American Consumers and Opening Them Up to Exploitation, by Joseph Turow, Ph.D. and the Annenberg School for Communication at the University of Pennsylvania.)
  3. Claiming that advertising funds the “free” Internet is wrong. (The Net has been free for the duration. Had it been left up to the billing companies of the world, we never would have had it, and they never would have made their $trillions on it. More at New Clues.)

What’s right is civilization, which relies on manners. Advertisers, their agencies and publishers haven’t learned manners yet.

But they will.

At the very least, regulations will force companies harvesting personal data to obey those they harvest it from, with fines for not obeying. Toward that end, Europe’s General Data Protection Regulation already has compliance offices at large corporations shaking in their boots, for good reason: “a fine up to 20,000,000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher (Article 83, Paragraph 5 & 6).” Those come into force in 2018. Stay tuned.

Companies harvesting personal data also shouldn’t be surprised to find themselves re-classified as fiduciaries, no less responsible than accountants, brokers and doctors for confidentiality on behalf of the people they collect data from. (Thank you, professors Balkin and Zittrain, for that legal and rhetorical hack. Brilliant, and well done. Or begun.)

The only way to fully fix publishing, advertising and surveillance-corrupted business in general is to equip individuals with terms they can assert in dealing with others online — and to do it at scale. Meaning we need terms that work the same way across all the companies we deal with. That’s why Customer Commons and Kantara are working on exactly those terms. For starters. And these will be our terms — not separate and different ones that live at each company we deal with. Those aren’t working now, and never will work, because they can’t. And they can’t because when you have to deal with as many different terms as there are parties supplying them, the problem becomes unmanageable, and you get screwed. That’s why —

There’s a new sheriff on the Net, and it’s the individual. Who isn’t a “user,” by the way. Or a “consumer.” With new terms of our own, we’re the first party. The companies we deal with are second parties. Meaning that they are the users, and the consumers, of our legal “content.” And they’ll like it too, because we actually want to do good business with good companies, and are glad to make deals that work for both parties. Those include expressions of true loyalty, rather than the coerced kind we get from every “loyalty” card we carry in our purses and wallets.

When we are the first parties, we also get scale. Imagine changing your terms, your contact info, or your last name, for every company you deal with — and doing that in one move. That can only happen when you are the first party.

So here’s a call to action.

If you want to help blow up the surveillance economy by helping develop much better ways for demand and supply to deal with each other, show up next week at the Computer History Museum for VRM Day and the Internet Identity Workshop, where there are plenty of people already on the case.

Then follow the work that comes out of both — as if your life depends on it. Because it does.

And so does the economy that will grow atop true privacy online and the freedoms it supports. Both are a helluva lot more leveraged than the ill-gotten data gains harvested by the Lumascape doing unwelcome surveillance.

Bonus links:

  1. All the great research Julia Angwin & Pro Publica have been doing on a problem that data harvesting companies have been causing and can’t fix alone, even with government help. That’s why we’re doing the work I just described.
  2. What Facebook Knows About You Can Matter Offline, an OnPoint podcast featuring Julia, Cathy O’Neill and Ashkan Soltani.
  3. Everything by Shoshana Zuboff. From her home page: “’I’ve dedicated this part of my life to understanding and conceptualizing the transition to an information civilization. Will we be the masters of information, or will we be its slaves? There’s a lot of work to be done, if we are to build bridges to the kind of future that we can call “home.” My new book on this subject, Master or Slave? The Fight for the Soul of Our Information Civilization, will be published by Public Affairs in the U.S. and Eichborn in Germany in 2017.” Can’t wait.
  4. Don Marti’s good thinking and work with Aloodo and other fine hacks.

« Older entries