You are currently browsing the archive for the Technology category.

door knocker

Remember the dot com boom?

Doesn’t matter if you don’t. What does matter is that it ended. All business manias do.

That’s why we can expect the “platform economy” and “surveillance capitalism” to end. Sure, it’s hard to imagine that when we’re in the midst of the mania, but the end will come.

When it does, we can have a “privacy debate.” Meanwhile, there isn’t one. In fact there can’t be one, because we don’t have privacy in the online world.

We do have privacy in the offline world, and we’ve had it ever since we invented clothing, doors, locks and norms for signaling what’s okay and what’s not okay in respect to our personal spaces, possessions and information.

That we hardly have the equivalent in the networked world doesn’t mean we won’t. Or that we can’t. The Internet in its current form was only born in the mid-’90s. In the history of business and culture, that’s a blip.

Really, it’s still early.

So, the fact that websites, network services, phone companies, platforms, publishers, advertisers and governments violate our privacy with wanton disregard for it doesn’t mean we can’t ever stop them. It means we haven’t done it yet, because we don’t have the tech for it. (Sure, some wizards do, but muggles don’t. And most of us are muggles.)

And, since we don’t have privacy tech yet, we lack the simple norms that grow around technologies that give us ways signal our privacy preferences. We’ll get those when we have the digital equivalents of buttons, zippers, locks, shades, curtains, door knockers and bells.

This is what many of us have been working on at ProjectVRM, Customer Commons, the Me2B Alliance, MyData and other organizations whose mission is getting each of us the tech we need to operate at full agency when dealing with the companies and governments of the world.

I bring all this up as a “Yes, and” to a piece in Salon by Michael Corn (@MichaelAlanCorn), CISO of UCSD, titled We’re losing the war against surveillance capitalism because we let Big Tech frame the debate. Subtitle: “It’s too late to conserve our privacy — but to preserve what’s left, we must stop defining people as commodities.”

Indeed. And we do need the “optimism and activism” he calls for. In the activism category is code. Specifically, code that gives us the digital equivalents of buttons, zippers, locks, shades, curtains, door knockers and bells

Some of those are in the works. Others are not—yet. But they will be. Inevitably. Especially now that it’s becoming clearer every day that we’ll never get them from any system with a financial interest in violating it*. Or from laws that fail at protecting it.

If you want to help, join one or more of the efforts in the links four paragraphs up. And, if you’re a developer already on the case, let us know how we can help get your solutions into each and all of our digital hands.

For guidance, this privacy manifesto should help. Thanks.

*Especially publishers such as Salon, which Privacy Badger tells me tries to pump 20 potential trackers into my browser while I read the essay cited above. In fact, according to, Salon tends to run 204 tracking requests per page load, and the vast majority of those are for tracking-based advertising purposes. And Salon is hardly unique. Despite the best intentions of the GDPR and the CCPA, surveillance capitalism remains fully defaulted on the commercial Web—and will continue to remain entrenched until we have the privacy tech we’ve needed from the start.

For more on all this, see People vs. Adtech.

empty face

@EvanSelinger tweetedWhile some companies think it’s enough to tweet support for social justice while marketing a tool for oppression, IBM gets out of the facial recognition business & states opposition to mass surveillance & racial profiling. In that tweet he pointed to IBM will no longer offer, develop, or research facial recognition technology (Subhead: IBM’s CEO says we should reevaluate selling the technology to law enforcement), by @jaypeters in The VergeHere is the letter to the U.S. Congress in which Arvind Krishna, IBM’s CEO, says what this is about. The relevant passage:

IBM no longer offers general purpose IBM facial recognition or analysis software. IBM firmly opposes and will not condone uses of any technology, including facial recognition technology offered by other vendors, for mass surveillance, racial profiling, violations of basic human rights and freedoms, or any purpose which is not consistent with our values and Principles of Trust and Transparency. We believe now is the time to begin a national dialogue on whether and how facial recognition technology should be employed by domestic law enforcement agencies.

In About face, I went on the record (while it lasts, anyway) in opposition to facial recognition by machines. I summed up my case this way: The only entities that should be able to recognize people’s faces are other people. And maybe their pets. But not machines.

Privacy Badger found 46 potential trackers trying to load into my browser as I read that piece in The Verge. I’m on record opposing that kinda shit too.

Bonus link.


In the library of Earth’s history, there are missing books, and within books there are missing chapters, written in rock that is now gone. John Wesley Powell recorded the greatest example of gone rock in 1869, on his expedition by boat through the Grand Canyon. Floating down the Colorado River, he saw the canyon’s mile-thick layers of reddish sedimentary rock resting on a basement of gray non-sedimentary rock, the layers of which were cocked at an angle from the flatnesses of every layer above. Observing this, he correctly assumed that the upper layers did not continue from the bottom one, because time had clearly passed between when the basement rock was beveled flat, against its own grain, and when the floors of rock above it were successively laid down. He didn’t know how much time had passed between basement and flooring, and could hardly guess.

The answer turned out to be more than a billion years. The walls of the Grand Canyon say nothing about what happened during that time. Geology calls that nothing an unconformity.

In the decades since Powell made his notes, the same gap has been found all over the world and is now called the Great Unconformity. Because of that unconformity, geology knows close to nothing about what happened in the world through stretches of time up to 1.6 billion years long.

All of those absent records end abruptly with the Cambrian Explosion, which began about 541 million years ago. That’s when the Cambrian period arrived and with it an amplitude of history, written in stone.

Many theories attempt to explain what erased such a large span of Earth’s history, but the prevailing guess is perhaps best expressed in “Neoproterozoic glacial origin of the Great Unconformity”, published on the last day of 2018 by nine geologists writing for the National Academy of Sciences. Put simply, they blame snow. Lots of it: enough to turn the planet into one giant snowball, informally called Snowball Earth. A more accurate name for this time would be Glacierball Earth, because glaciers, all formed from accumulated snow, apparently covered most or all of Earth’s land during the Great Unconformity—and most or all of the seas as well. Every continent was a Greenland or an Antarctica.

The relevant fact about glaciers is that they don’t sit still. They push immensities of accumulated ice down on landscapes and then spread sideways, pulverizing and scraping against adjacent landscapes, bulldozing their ways seaward through mountains and across hills and plains. In this manner, glaciers scraped a vastness of geological history off the Earth’s continents and sideways into ocean basins, where plate tectonics could hide the evidence. (A fact little known outside of geology is that nearly all the world’s ocean floors are young: born in spreading centers and killed by subduction under continents or piled up as debris on continental edges here and there. Example: the Bay Area of California is an ocean floor that wasn’t subducted into a trench.) As a result, the stories of Earth’s missing history are partly told by younger rock that remembers only that a layer of moving ice had erased pretty much everything other than a signature on its work.

I bring all this up because I see something analogous to Glacierball Earth happening right now, right here, across our new worldwide digital sphere. A snowstorm of bits is falling on the virtual surface of our virtual sphere, which itself is made of bits even more provisional and temporary than the glaciers that once covered the physical Earth. Nearly all of this digital storm, vivid and present at every moment, is doomed to vanish because it lacks even a glacier’s talent for accumulation.

The World Wide Web is also the World Wide Whiteboard.

Think about it: there is nothing about a bit that lends itself to persistence, other than the media it is written on. Form follows function; and most digital functions, even those we call “storage”, are temporary. The largest commercial facilities for storing digital goods are what we fittingly call “clouds”. By design, these are built to remember no more of what they once contained than does an empty closet. Stop paying for cloud storage, and away goes your stuff, leaving no fossil imprints. Old hard drives, CDs, and DVDs might persist in landfills, but people in the far future may look at a CD or a DVD the way a geologist today looks at Cambrian zircons: as hints of digital activities that may have happened during an interval about which nothing can ever be known. If those fossils speak of what’s happening now at all, it will be of a self-erasing Digital Earth that was born in the late 20th century.

This theory actually comes from my wife, who has long claimed that future historians will look at our digital age as an invisible one because it sucks so royally at archiving itself.

Credit where due: the Internet Archive is doing its best to make sure that some stuff will survive. But what will keep that archive alive, when all the media we have for recalling bits—from spinning platters to solid-state memory—are volatile by nature?

My own future unconformity is announced by the stack of books on my desk, propping up the laptop on which I am writing. Two of those books are self-published compilations of essays I wrote about technology in the mid-1980s, mostly for publications that are long gone. The originals are on floppy disks that can only be read by PCs and apps of that time, some of which are buried in lower strata of boxes in my garage. I just found a floppy with some of those essays. (It’s the one with a blue edge in the wood case near the right end of the photo above.) If those still retain readable files, I am sure there are ways to recover at least the raw ASCII text. But I’m still betting the paper copies of the books under this laptop will live a lot longer than will these floppies or my mothballed PCs, all of which are likely bricked by decades of un-use.

As for other media, the prospect isn’t any better.

At the base of my video collection is a stratum of VHS videotapes, atop of which are strata of MiniDV and Hi8 tapes, and then one of digital stuff burned onto CDs and stored in hard drives, most of which have been disconnected for years. Some of those drives have interfaces and connections (e.g. FireWire) no longer supported by any computers being made today. Although I’ve saved machines to play all of them, none I’ve checked still work. One choked to death on a CD I stuck in it. That was a failure that stopped me from making Christmas presents of family memories recorded on old tapes and DVDs. I meant to renew the project sometime before the following Christmas, but that didn’t happen. Next Christmas? The one after that? I still hope, but the odds are against it.

Then there are my parents’ 8mm and 16mm movies filmed between the 1930s and the 1960s. In 1989, my sister and I had all of those copied over to VHS tape. We then recorded our mother annotating the tapes onto companion cassette tapes while we all watched the show. I still have the original film in a box somewhere, but I haven’t found any of the tapes. Mom died in 2003 at age 90, and her whole generation is now gone.

The base stratum of my audio past is a few dozen open reel tapes recorded in the 1950s and 1960s. Above those are cassette and micro-cassette tapes, plus many Sony MiniDisks recorded in ATRAC, a proprietary compression algorithm now used by nobody, including Sony. Although I do have ways to play some (but not all) of those, I’m cautious about converting any of them to digital formats (Ogg, MPEG, or whatever), because all digital storage media are likely to become obsolete, dead, or both—as will formats, algorithms, and codecs. Already I have dozens of dead external hard drives in boxes and drawers. And, since no commercial cloud service is committed to digital preservation in the absence of payment, my files saved in clouds are sure to be flushed after neither my heirs nor I continue paying for their preservation. I assume my old open reel and cassette tapes are okay, but I can’t tell right now because both my Sony TCWE-475 cassette deck (high end in its day) and my Akai 202D-SS open-reel deck (a quadrophonic model from the early ’70s) are in need of work, since some of their rubber parts have rotted.

The same goes for my photographs. My printed photos—countless thousands of them dating from the late 1800s to 2004—are stored in boxes and albums of photos, negatives and Kodak slide carousels. My digital photos are spread across a mess of duplicated backup drives totaling many terabytes, plus a handful of CDs. About 60,000 photos are exposed to the world on Flickr’s cloud, where I maintain two Pro accounts (here and here) for $50/year apiece. More are in the Berkman Klein Center’s pro account (here) and Linux Journal‘s (here). I doubt any of those will survive after those entities stop getting paid their yearly fees. SmugMug, which now owns Flickr, has said some encouraging things about photos such as mine, all of which are Creative Commons-licensed to encourage re-use. But, as Geoffrey West tells us, companies are mortal. All of them die.

As for my digital works as a whole (or anybody’s), there is great promise in what the Internet Archive and Wikimedia Commons do, but there is no guarantee that either will last for decades more, much less for centuries or millennia. And neither are able to archive everything that matters (much as they might like to).

It should also be sobering to recognize that nobody truly “owns” a domain on the internet. All those “sites” with “domains” at “locations” and “addresses” are rented. We pay a sum to a registrar for the right to use a domain name for a finite period of time. There are no permanent domain names or IP addresses. In the digital world, finitude rules.

So the historic progression I see, and try to illustrate in the photo at the top of this post, is from hard physical records through digital ones we hold for ourselves, and then up into clouds… that go away. Everything digital is snow falling and disappearing on the waters of time.

Will there ever be a way to save for the very long term what we ironically call our digital “assets?” Or is all of it doomed by its own nature to disappear, leaving little more evidence of its passage than a Great Digital Unconformity, when everything was forgotten?

I can’t think of any technical questions more serious than those two.

The original version of this post appeared in the March 2019 issue of Linux Journal.

A few days ago, in Figuring the Future, I sourced an Arnold Kling blog post that posed an interesting pair of angles toward outlook: a 2×2 with Fragile <—> Robust on one axis and Essential <—> Inessential on the other. In his sort, essential + fragile are hospitals and airlines. Inessential + fragile are cruise ships and movie theaters. Robust + essential are tech giants. Inessential + robust are sports and entertainment conglomerates, plus major restaurant chains. It’s a heuristic, and all of it is arguable (especially given the gray along both axes), which is the idea. Cases must be made if planning is to have meaning.

Now, haul Arnold’s template over to The U.S. Labor Market During the Beginning of the Pandemic Recession, by Tomaz Cajner, Leland D. Crane, Ryan A. Decker, John Grigsby, Adrian Hamins-Puertolas, Erik Hurst, Christopher Kurz, and Ahu Yildirmaz, of the University of Chicago, and lay it on this item from page 21:

The highest employment drop, in Arts, Entertainment and Recreation, leans toward inessential + fragile. The second, in Accommodation and Food Services is more on the essential + fragile side. The lowest employment changes, from Construction on down to Utilities, all tending toward essential + robust.

So I’m looking at those bottom eight essential + robust categories and asking a couple of questions:

1) What percentage of workers in each essential + robust category are now working from home?

2) How much of this work is essentially electronic? Meaning, done by people who live and work through glowing rectangles, connected on the Internet?

Hard to say, but the answers will have everything to do with the transition of work, and life in general, into a digital world that coexists with the physical one. This was the world we were gradually putting together when urgency around COVID-19 turned “eventually” into “now.”

In Junana, Bruce Caron writes,

“Choose One” was extremely powerful. It provided a seed for everything from language (connecting sound to meaning) to traffic control (driving on only one side of the road). It also opened up to a constructivist view of society, suggesting that choice was implicit in many areas, including gender.

Choose One said to the universe, “There are several ways we can go, but we’re all going to agree on this way for now, with the understanding that we can do it some other way later, thank you.” It wasn’t quite as elegant as “42,” but it was close. Once you started unfolding with it, you could never escape the arbitrariness of that first choice.

In some countries, an arbitrary first choice to eliminate or suspend personal privacy allowed intimate degrees of contract tracing to help hammer flat the infection curve of COVID-19. Not arbitrary, perhaps, but no longer escapable.

Other countries face similar choices. Here in the U.S., there is an argument that says “The tech giants already know our movements and social connections intimately. Combine that with what governments know and we can do contact tracing to a fine degree. What matters privacy if in reality we’ve lost it already and many thousands or millions of lives are at stake—and so are the economies that provide what we call our ‘livings.’ This virus doesn’t care about privacy, and for now neither should we.” There is also an argument that says, “Just because we have no privacy yet in the digital world is no reason not to have it. So, if we do contact tracing through our personal electronics, it should be disabled afterwards and obey old or new regulations respecting personal privacy.”

Those choices are not binary, of course. Nor are they outside the scope of too many other choices to name here. But many of those are “Choose Ones” that will play out, even if our choice is avoidance.

[This is the third of four posts. The last of those, Zoom’s new privacy policy, visits the company’s positive response to input such as mine here. So you might want to start with that post (because it’s the latest) and look at the other three, including this one, after that.]

I really don’t want to bust Zoom. No tech company on Earth is doing more to keep civilization working at a time when it could so easily fall apart. Zoom does that by providing an exceptionally solid, reliable, friendly, flexible, useful (and even fun!) way for people to be present with each other, regardless of distance. No wonder Zoom is now to conferencing what Google is to search. Meaning: it’s a verb. Case in point: between the last sentence and this one, a friend here in town sent me an email that began with this:

That’s a screen shot.

But Zoom also has problems, and I’ve spent two posts, so far, busting them for one of those problems: their apparent lack of commitment to personal privacy:

  1. Zoom needs to cleanup its privacy act
  2. More on Zoom and privacy

With this third post, I’d like to turn that around.

I’ll start with the email I got yesterday from a person at a company engaged by Zoom for (seems to me) reputation management, asking me to update my posts based on the “facts” (his word) in this statement:

Zoom takes its users’ privacy extremely seriously, and does not mine user data or sell user data of any kind to anyone. Like most software companies, we use third-party advertising service providers (like Google) for marketing purposes: to deliver tailored ads to our users about Zoom products the users may find interesting. (For example, if you visit our website, later on, depending on your cookie preferences, you may see an ad from Zoom reminding you of all the amazing features that Zoom has to offer). However, this only pertains to your activity on our website. The Zoom services do not contain advertising cookies. No data regarding user activity on the Zoom platform – including video, audio and chat content – is ever used for advertising purposes. If you do not want to receive targeted ads about Zoom, simply click the “Cookie Preferences” link at the bottom of any page on the site and adjust the slider to ‘Required Cookies.’

I don’t think this squares with what Zoom says in the “Does Zoom sell Personal Data?” section of its privacy policy (which I unpacked in my first post, and that Forbes, Consumer Reports and others have also flagged as problematic)—or with the choices provided in Zoom’s cookie settings, which list 70 (by my count) third parties whose involvement you can opt into or out of (by a set of options I unpacked in my second post). The logos in the image above are just 16 of those 70 parties, some of which include more than one domain.

Also, if all the ads shown to users are just “about Zoom,” why are those other companies in the picture at all? Specifically, under “About Cookies on This Site,” the slider is defaulted to allow all “functional cookies” and “advertising cookies,” the latter of which are “used by advertising companies to serve ads that are relevant to your interests.” Wouldn’t Zoom be in a better position to know your relevant (to Zoom) interests, than all those other companies?

More questions:

  1. Are those third parties “processors” under GDPR, or “service providers by the CCPAs definition? (I’m not an authority on either, so I’m asking.)
  2. How do these third parties know what your interests are? (Presumably by tracking you, or by learning from others who do. But it would help to know more.)
  3. What data about you do those companies give to Zoom (or to each other, somehow) after you’ve been exposed to them on the Zoom site?
  4. What targeting intelligence do those companies bring with them to Zoom’s pages because you’re already carrying cookies from those companies, and those cookies can alert those companies (or others, for example through real time bidding auctions) to your presence on the Zoom site?
  5. If all Zoom wants to do is promote Zoom products to Zoom users (as that statement says), why bring in any of those companies?

Here is what I think is going on (and I welcome corrections): Because Zoom wants to comply with GDPR and CCPA, they’ve hired TrustArc to put that opt-out cookie gauntlet in front of users. They could just as easily have used Quantcast‘s system, or consentmanager‘s, or OneTrust‘s, or somebody else’s.

All those services are designed to give companies a way to obey the letter of privacy laws while violating their spirit. That spirit says stop tracking people unless they ask you to, consciously and deliberately. In other words, opting in, rather than opting out. Every time you click “Accept” to one of those cookie notices, you’ve just lost one more battle in a losing war for your privacy online.

I also assume that Zoom’s deal with TrustArc—and, by implication, all those 70 other parties listed in the cookie gauntlet—also requires that Zoom put a bunch of weasel-y jive in their privacy policy. Which looks suspicious as hell, because it is.

Zoom can fix all of this easily by just stopping it. Other companies—ones that depend on adtech (tracking-based advertising)—don’t have that luxury. But Zoom does.

If we take Zoom at its word (in that paragraph they sent me), they aren’t interested in being part of the adtech fecosystem. They just want help in aiming promotional ads for their own services, on their own site.

Three things about that:

  1. Neither the Zoom site, nor the possible uses of it, are so complicated that they need aiming help from those third parties.
  2. Zoom is the world’s leading sellers’ market right now, meaning they hardly need to advertise at all.
  3. Being in adtech’s fecosystem raises huge fears about what Zoom and those third parties might be doing where people actually use Zoom most of the time: in its app. Again, Consumer Reports, Forbes and others have assumed, as have I, that the company’s embrasure of adtech in its privacy policy means that the same privacy exposures exist in the app (where they are also easier to hide).

By severing its ties with adtech, Zoom can start restoring people’s faith in its commitment to personal privacy.

There’s a helpful model for this: Apple’s privacy policy. Zoom is in a position to have a policy like that one because, like Apple, Zoom doesn’t need to be in the advertising business. In fact, Zoom could follow Apple’s footprints out of the ad business.

And then Zoom could do Apple one better, by participating in work going on already to put people in charge of their own privacy online, at scale. In my last post. I named two organizations doing that work. Four more are the Me2B Alliance, Kantara, ProjectVRM, and MyData.

I’d be glad to help with that too. If anyone at zoom is interested, contact me directly this time. Thanks.




Here’s the popover that greets visitors on arrival at Rolling Stone‘s website:

Our Privacy Policy has been revised as of January 1, 2020. This policy outlines how we use your information. By using our site and products, you are agreeing to the policy.

That policy is supplied by Rolling Stone’s parent (PMC) and weighs more than 10,000 words. In it the word “advertising” appears 68 times. Adjectives modifying it include “targeted,” “personalized,” “tailored,” “cookie-based,” “behavioral” and “interest-based.” All of that is made possible by, among other things—

Information we collect automatically:

Device information and identifiers such as IP address; browser type and language; operating system; platform type; device type; software and hardware attributes; and unique device, advertising, and app identifiers

Internet network and device activity data such as information about files you download, domain names, landing pages, browsing activity, content or ads viewed and clicked, dates and times of access, pages viewed, forms you complete or partially complete, search terms, uploads or downloads, the URL that referred you to our Services, the web sites you visit after this web site; if you share our content to social media platforms; and other web usage activity and data logged by our web servers, whether you open an email and your interaction with email content, access times, error logs, and other similar information. See “Cookies and Other Tracking Technologies” below for more information about how we collect and use this information.

Geolocation information such as city, state and ZIP code associated with your IP address or derived through Wi-Fi triangulation; and precise geolocation information from GPS-based functionality on your mobile devices, with your permission in accordance with your mobile device settings.

The “How We Use the Information We Collect” section says they will—

Personalize your experience to Provide the Services, for example to:

  • Customize certain features of the Services,
  • Deliver relevant content and to provide you with an enhanced experience based on your activities and interests
  • Send you personalized newsletters, surveys, and information about products, services and promotions offered by us, our partners, and other organizations with which we work
  • Customize the advertising on the Services based on your activities and interests
  • Create and update inferences about you and audience segments that can be used for targeted advertising and marketing on the Services, third party services and platforms, and mobile apps
  • Create profiles about you, including adding and combining information we obtain from third parties, which may be used for analytics, marketing, and advertising
  • Conduct cross-device tracking by using information such as IP addresses and unique mobile device identifiers to identify the same unique users across multiple browsers or devices (such as smartphones or tablets, in order to save your preferences across devices and analyze usage of the Service.
  • using inferences about your preferences and interests for any and all of the above purposes

For a look at what Rolling Stone, PMC and their third parties are up to, Privacy Badger’s browser extension “found 73 potential trackers on

This kind of shit is why we have the EU’s GDPR (General Data Protection Regulation) and California’s CCPA (California Consumer Privacy Act). (No, it’s not just because Google and Facebook.) If publishers and the adtech industry (those third parties) hadn’t turned the commercial Web into a target-rich environment for suckage by data vampires, we’d never have had either law. (In fact, both laws are still new: the GDPR went into effect in May 2018 and the CCPA a few days ago.)

I’m in California, where the CCPA gives me the right to shake down the vampiretariat for all the information about me they’re harvesting, sharing, selling or giving away to or through those third parties.* But apparently Rolling Stone and PMC don’t care about that.

Others do, and I’ll visit some of those in later posts. Meanwhile I’ll let Rolling Stone and PMC stand as examples of bad acting by publishers that remains rampant, unstopped and almost entirely unpunished, even under these new laws.

I also suggest following and getting involved with the fight against the plague of data vampirism in the publishing world. These will help:

  1. Reading Don Marti’s blog, where he shares expert analysis and advice on the CCPA and related matters. Also People vs. Adtech, a compilation of my own writings on the topic, going back to 2008.
  2. Following what the browser makers are doing with tracking protection (alas, differently†). Shortcuts: Brave, Google’s Chrome, Ghostery’s Cliqz, Microsoft’s Edge, Epic, Mozilla’s Firefox.
  3. Following or joining communities working to introduce safe forms of nourishment for publishers and better habits for advertisers and their agencies. Those include Customer CommonsMe2B AllianceMyData Global and ProjectVRM.


*The bill (AB 375), begins,

The California Constitution grants a right of privacy. Existing law provides for the confidentiality of personal information in various contexts and requires a business or person that suffers a breach of security of computerized data that includes personal information, as defined, to disclose that breach, as specified.

This bill would enact the California Consumer Privacy Act of 2018. Beginning January 1, 2020, the bill would grant a consumer a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of 3rd parties with which the information is shared. The bill would require a business to make disclosures about the information and the purposes for which it is used. The bill would grant a consumer the right to request deletion of personal information and would require the business to delete upon receipt of a verified request, as specified. The bill would grant a consumer a right to request that a business that sells the consumer’s personal information, or discloses it for a business purpose, disclose the categories of information that it collects and categories of information and the identity of 3rd parties to which the information was sold or disclosed…

Don Marti has a draft letter one might submit to the brokers and advertisers who use all that personal data. (He also tweets a caution here.)

†This will be the subject of my next post.

newspaperIn a Columbia Journalism Review op-ed, Bernie Sanders presents a plan to save journalism that begins,

WALTER CRONKITE ONCE SAID that “journalism is what we need to make democracy work.” He was absolutely right, which is why today’s assault on journalism by Wall Street, billionaire businessmen, Silicon Valley, and Donald Trump presents a crisis—and why we must take concrete action.

His prescriptive remedies run ten paragraphs long, and all involve heavy government intervention. Rob Williams (@RobWilliamsNY) of MediaPost provides a brief summary in Bernie Sanders Has Misguided Plan To Save Journalism:

Almost two weeks after walking back his criticism of The Washington Post, which he had suggested was a mouthpiece for owner Jeff Bezos, Sanders described a scheme that would re-order the news business with taxes, cross-subsidies and trust-busting…

Sanders also proposes new taxes on online targeted ads, and using the proceeds to fund nonprofit civic-minded media. It’s highly doubtful that a government-funded news provider will be a better watchdog of local officials than an independent publisher. Also, a tax-funded news source will compete with local publishers that already face enough threats.

Then Rob adds,

Sanders needs to recognize that the news business is subject to market forces too big to tame with more government regulation. Consumers have found other sources for news, including pay-TV and a superabundance of digital publishers.

Here’s a lightly edited copy of the comment I put up under Rob’s post:

Journalism as we knew it—scarce and authoritative media resources on print and air—has boundless competition now from, well, everybody.

Because digital.

Meaning we are digital now. (Proof: try living without your computer and smartphone.) As digital beings we float in a sea of “content,” very little of which is curated, and much of which is both fake and funded by the same systems (Google, Facebook and the four-dimensional shell game called adtech) that today rewards publishers for bringing tracked eyeballs to robots so those eyeballs can be speared with “relevant” and “interactive” ads.

The systems urging those eyeballs toward advertising spears are algorithmically biased to fan emotional fires, much of which reduces to enmity toward “the other,” dividing worlds of people into opposing camps (each an “other” for the “other”). Because, hey, it’s good for the ad business, which includes everyone it pays, including what’s left of mainstream and wannabe mainstream journalism.

Meanwhile, the surviving authoritative sources in that mainstream have themselves become fat with opinion while carving away reporters, editors, bureaus and beats. Brand advertising, for a century the most reliable and generous source of funding for good journalism (admittedly, along with some bad), is now mostly self-quarantined to major broadcast media, while the eyeball-spearing “behavioral” kind of advertising rules online, despite attempts by regulators (especially in Europe) to stamp it out. (Because it is in fact totally rude.)

Then there’s the problem of news surfeit, which trivializes everything with its abundance, no matter how essential and important a given story may be. It’s all just too freaking much. (More about that here.)

And finally there’s the problem of “the story”—journalism’s stock-in-trade. Not everything that matters fits the story format (character, problem, movement). Worse, we’re living in a time when the most effective political leaders are giant characters who traffic in generating problems that attract news coverage like a black hole attracts everything nearby that might give light. (More about that here.)

Against all those developments at once, there is hardly a damn thing lawmakers or regulators can do. Grandstanding such as Sanders does in this case only adds to the noise, which Google’s and Facebook’s giant robots are still happy to fund.

Good luck, folks.

So. How do we save journalism—if in fact we can? Three ideas:

  1. Start at the local level, because the physical world is where the Internet gets real. It’s hard to play the fake news game there, and that alone is a huge advantage (This is what my TED talk last year was about, by the way.)
  2. Whatever Dave Winer is working on. I don’t know anybody with as much high-power insight and invention, plus the ability to make stuff happen. (Heard of blogging and podcasting? You might not have if them weren’t for Dave. Some history herehere and here.)
  3. Align incentives between journalism, its funding sources and its readers, listeners and viewers. Surveillance-based adtech is massively misaligned with the moral core of journalism, the brand promises of advertisers and the privacy of every human being exposed to it. Bernie and too many others miss all that, largely because the big publishers have been chickenshit about admitting their role in adtech’s surveillance system—and reporting on it.
  4. Put the users of news in charge of their relationships with the producers of it. Which can be done. For example, we can get rid of those shitty adtech-protecting cookie notices on the front doors of websites with terms that readers can proffer and publishers can agree to, because those terms are a good deal for both. Here’s one.

I think we’ll start seeing the tide turn when when what’s left of responsible ad-funded online publishing cringes in shame at having participated in adtech’s inexcusable surveillance business—and reports on it thoroughly.

Credit where due: The New York Times has started, with its Privacy Project. An excellent report by Farhad Manjoo (@fmanjoo) in that series contains this long-overdue line:”Among all the sites I visited, news sites, including The New York Times and The Washington Post, had the most tracking resources.”

Hats off to Farhad for grabbing a third rail there. I’ve been urging this for a long time, and working especially on #4, through ProjectVRMCustomerCommons and the IEEE’s working group (P7012) on Standard for Machine Readable Personal Privacy Terms. If you want to roll up your sleeves and help with this stuff, join one or more of those efforts.



In 1995, shortly after she first encountered e-commerce, my wife assigned a cool project to the world by asking a simple question: Why can’t I take my shopping cart from site to site?

The operative word in that question is the first person possessive pronoun: my.

Look up personal online shopping cart and you’ll get nearly a billion results, but none are for a shopping cart of your own. They’re all for shopping carts in commercial websites. In other words, those carts are for sellers, not buyers. They may say “my shopping cart” (a search for that one yields 3.1 billion results), but what they mean is their shopping cart. They say “my” in the same coo-ing way an adult might talk to a baby. (Oh, is my diaper full?)

Shopping online has been stuck in this uncool place because it got modeled on client-server, which should have been called “slave-master” when it got named a few decades ago. Eight years ago here (in our September 2011 issue) I called client-server “calf-cow,” and illustrated it with this photo (which a reader correctly said was shot in France, because it was clear to him that these are French cows):


It began,

As entities on the Web, we have devolved. Client-server has become calf-cow. The client—that’s you—is the calf, and the Web site is the cow. What you get from the cow is milk and cookies. The milk is what you go to the site for. The cookies are what the site gives to you, mostly for its own business purposes, chief among which is tracking you like an animal. There are perhaps a billion or more server-cows now, each with its own “brand” (as marketers and cattle owners like to say).

This is not what the Net’s founders had in mind. Nor was it what Tim Berners-Lee meant for his World Wide Web of hypertext documents to become. But it’s what we’ve got, and it’s getting worse.

In February 2011, Eben Moglen gave a landmark speech to the Internet Society titled “Freedom in the Cloud”, in which he unpacked the problem. In the beginning, he said, the Internet was designed as “a network of peers without any intrinsic need for hierarchical or structural control, and assuming that every switch in the Net is an independent, free-standing entity whose volition is equivalent to the volition of the human beings who want to control it”. Alas, “it never worked out that way”. Specifically:

If you were an ordinary human, it was hard to perceive that the underlying architecture of the Net was meant to be peerage because the OS software with which you interacted very strongly instantiated the idea of the server and client architecture.

In fact, of course, if you think about it, it was even worse than that. The thing called “Windows” was a degenerate version of a thing called “X Windows”. It, too, thought about the world in a server-client architecture, but what we would now think of as backwards. The server was the thing at the human being’s end. That was the basic X Windows conception of the world. It served communications with human beings at the end points of the Net to processes located at arbitrary places near the center in the middle, or at the edge of the Net…

No need to put your X Windows hat back on. Think instead about how you would outfit your own shopping cart: one you might take from store to store.

For this it helps to think about how you already outfit your car, SUV or truck: a vehicle that is unambiguously yours, even if you only lease it. (By yours I mean you operate it, as an extension of you. When you drive it, you wear it like a carapace. In your mind, those are my wheels, my engine, my fenders.)

Since you’ll be driving this thing in the online world, there’s a lot more you can do with it than the one obvious thing, which is to keep a list of all the things you’ve put in shopping carts at multiple websites. Instead start with a wish list that might include everything you ought to be getting from e-commerce, but can’t because e-commerce remains stuck in the calf-cow model, so the whole thing is about cows getting scale across many calves. Your personal shopping cart should be a way for you to get scale across all of e-commerce. Depending on how much you want to kit up your cart, you should be able to—

  1. Keep up with prices for things you want that have changed, across multiple sites
  2. Intentcast to multiple stores your intention to buy something, and say under what conditions you’d be willing to buy it
  3. Subscribe and unsubscribe from mailings in one standard way that’s yours
  4. Keep up with “loyalty” programs at multiple sites, including coupons and discounts you might be interested in (while rejecting the vast majority of those that are uninteresting, now or forever)
  5. Keep records of what you’ve bought from particular retailers in the past, plus where and when you bought those things, including warranty information
  6. Let stores know what your privacy policies are, plus your terms and conditions for dealing with them, including rules for how your personal data might be used
  7. Have a simple and standard way to keep in touch with the makers and sellers of what you own—one that works for you and for those others, in both directions
  8. Have a way to change your contact information for any or all of them, in one move
  9. Mask or reveal what you wish to reveal about yourself and your identity, with anonymity as the default
  10. Pay in the fiat or crypto currency of your choice
  11. Use your own damn wallet, rather than using a Google, Apple or a Whatever wallet
  12. Everything else on the ProjectVRM punch list, where you’ll find links to work on many of the ideas above.

Yes, I know. All those things fly in the face of Business As Usual. They’ll be fought by incumbents, require standards or APIs that don’t yet exist, and so on. But so what. All those things also can be done technically. And, as Marc Andreessen told me (right here in Linux Journal, way back in 1998), “all the significant trends start with technologists.” So start one.

You also don’t need to start with a shopping cart. Anything on that list can stand alone or be clustered in some other… well, pick your metaphor: dashboard, cockpit, console, whatever. It might also help to know there is already development work in nearly all of those cases, and an abundance of other opportunities to revolutionize approaches to business online that have been stuck for a long time. To explain how long, here is the entire text of a one-slide presentation Phil Windley gave a few years ago:


1995: Invention of the Cookie

The End

Now is the time to break out of the cookie jar where business has been stuck for an inexcusably long time.

It’s time to start working for customers, and making them more than just “users” or “consumers.” Think Me2B and not just B2C. Make customertech and not just salestech, adtech and martech. Give every customer leverage:

By doing that, you will turn the whole marketplace into a Marvel-like universe where all of us are enhanced.

For inspiration, think about what Linux did against every other operating system. Think about what the Internet did to every LAN, WAN, phone company and cable company in the world. Think about what the Web did to every publishing system.

Linux, the Net and the Web each had something radical in common: they extended the power of individual human beings before they utterly reformed every activity and enterprise that came to depend on them.

If you’re interested in any of those projects above, talk to me. Or just start working on it, and tell me about it so I can help the world know.

This is wrong:

Because I’m not blocking ads. I’m blocking tracking.

In fact I welcome ads—especially ones that sponsor The Washington Post and other fine publishers. I’ll also be glad to subscribe to the Post once it stops trying to track me off their site. Same goes for The New York Times, The Wall Street Journal and other papers I value and to which I no longer subscribe.

Right now Privacy Badger protects me from 20 and 35 potential trackers at those papers’ sites, in addition to the 19 it finds at the Post. Most of those trackers are for stalking readers like marked animals, so their eyeballs can be shot by “relevant,” “interest-based” and “interactive” ads they would never request if they had much choice about it—and in fact have already voted against with ad blocking, which by 2015 was already the biggest boycott in world history. As I point out in that link (and Don Marti did earlier in DCN), there was in that time frame a high correlation between interest in blocking ads and interest (surely by the ad industry) in retargeting, which is the most obvious evidence to people that they are being tracked. See here:

Tracking-based ads, generally called adtech, do not sponsor publications. They use publications as holding pens in which human cattle can be injected with uninvited and unwelcome tracking files (generally called cookies) so their tracked eyeballs can be shot, wherever they might show up, with ads aimed by whatever surveillance data has been gleaned from those eyeballs’ travels about the Net.

Real advertising—the kind that makes brands and sponsors publications—doesn’t track people. Instead it is addressed to whole populations. In doing so it sponsors the media it uses, and testifies to those media’s native worth. Tracking-based ads can’t and don’t do that.

That tracking-based ads pay, and are normative in the extreme, does not make right the Post‘s participation in the practice. Nor does it make correct the bad thinking (and reporting!) behind notices such as the one above.

Let’s also be clear about two myths spread by the “interactive” (aka “relevant” and “interest-based”) advertising business:

  1. That the best online advertising is also the most targeted—and “behavioral” as well, meaning informed by knowledge about an individual, typically gathered by tracking. This is not the kind of advertising that made Madison Avenue, that created nearly every brand you can name, and that has sponsored publishers and other media for the duration. Instead it is direct marketing, aka direct response marketing. Both of those labels are euphemistic re-brandings that the direct mail business gave itself after the world started calling it junk mail. Sure, much (or most) of the paid messages we see online are called advertising, and look like advertising; but as long as they want to get personal, they’re direct marketing.
  2. That tracking-based advertising (direct marketing by another name) is the business model of the “free” Internet. In fact the Internet at its base is as free as gravity and sunlight, and floats all business boats, whether based on advertising or not.

Getting the world to mistake direct marketing for real advertising is one of the great magic tricks of all time: a world record for misdirection in business. To help explain the difference, I wrote Separating Advertising’s Wheat From Chaff, the most quoted line from which is “Madison Avenue fell asleep, direct response marketing ate its brain, and it woke up as an alien replica of itself.” Alas, the same is true for the business offices of the Post and every other publisher that depends on tracking. They ceased selling their pages as spaces for sponsors and turned those spaces over to data vampires living off the blood of readers’ personal data.

There is a side for those publishers to take on this thing, and it’s not with the tracking-based advertising business. It is with their own moral backbone, and with the readers who still keep faith in it.

If any reporter (e.g.@CraigTimberg @izzadwoskin@nakashimae ‏and @TonyRomm) wants to talk to me about this, write me at doc at or DM me here on Twitter.* Thanks.

Bonus link (and metaphor)

*So far, silence. But hey: I know I’m asking journalists to grab a third rail here. And it’s one that needs to be grabbed. There might even be a Pulitzer for whoever grabs it. Because the story is that big, and it’s not being told, at least not by any of the big pubs. The New York TimesPrivacy Project has lots of great stuff, but none that grabs the third rail. The closest the Times has come is You’re not alone when you’re on Google, by Jennifer Senior (@JenSeniorNY). In it she says “your newspaper” (alas, not this one) is among the culprits. But it’s a step. We need more of those. (How about it, @cwarzel?)†

[Later…] We actually have a great model for how the third rail might be grabbed, because The Wall Street Journal wrestled it mightily with the What They Know series, which ran from 2010 to 2012. For most of the years after that, the whole series, which was led by Julia Angwin and based on lots of great research, was available on the Web for everybody at But that’s a 404 now. If you want to see a directory of the earliest pieces, I list them in a July 2010 blog post titled The Data Bubble. That post begins,

The tide turned today. Mark it: 31 July 2010.

That’s when The Wall Street Journal published The Web’s Gold Mine: Your Secrets, subtitled A Journal investigation finds that one of the fastest-growing businesses on the Internet is the business of spying on consumers. First in a series. It has ten links to other sections of today’s report.

Alas, the tide did not turn. It kept coming in and getting deeper. And now we’re drowning under it.

† I did hear from Charlie Warzel (@cwarzel), who runs the Privacy Project series at the Times , and assured me that they would be covering the issue. And (Yay!) it did, with I Visited 47 Sites. Hundreds of Trackers Followed Me, by Farhad Manjoo (@fmanjoo). This was followed by critique of that piece titled Privacy Fundamentalism, by Ben Thompson in Stratechery. I responded to both with On Privacy Fundamentalism. So check those out too.

The answer is, we don’t know. Also, we may never know, because—

  • It’s too hard to measure (especially if you’re talking about the entire Net).
  • Too so much of the usage is in mobile devices of too many different kinds.
  • The browser makers are approaching ad blocking and tracking protection in different and new ways that change frequently, and the same goes for ad-blocking and tracking-protecting extensions and add-ons. One of them (Adblock Plus) is actually in the advertising business (which Wikipedia politely calls ad filtering) in the sense that they sell safe package for paying advertisers.
  • Some of the most easily sourced measures are surveys, yet what people say and what they do can be very different things.
  • Some of the most widely cited findings are from sources with conflicted interests (for example, selling anti-ad-blocking services), or which aggregate multiple sources that aren’t revealed when cited.
  • Actors good and bad in the ecosystem that ad blocking addresses also contribute to the fudge.

But let’s explore a bit anyway, working with what we’ve got, flawed though much of it may be. If you’re a tl;dr kind of reader, jump down to the conclusions at the end.

Part 1: ClarityRay and Pagefair

Between 2012 and 2017, the most widely cited ad blocking reports were by ClarityRay and PageFair, in that order. There are no links to ClarityRay’s 2012 report, which I cited here in 2013. PageFair links to their 2015, 2016 (mobile) and 2017 reports are still live. The company also said last November that it was at work on another report. This was after PageFair was acquired by Blockthrough (“the leading adblock recovery program”). A PageFair blog post explains it.

I placed a lot of trust in PageFair’s work, mostly because I respected Dr. Johnny Ryan (@JohnnyRyan), who left PageFair for Brave in 2018. I also like what I know about Matthew Cortland, who was also at PageFair, and may still be. Far as I know, he hasn’t written anything about ad blocking research (but maybe I’ve missed it) since 2017.

Here are the main findings from PageFair’s 2017 report:

  • 615 million devices now use adblock
  • 11% of the global internet population is blocking ads on the web

Part 2: GlobalWebIndex

In January 2016, GlobalWebIndex said “37% of mobile users … say they’ve blocked ads on their mobile within the last month.” I put that together with Statista’s 2017 claim that there were then more than 4.6 billion mobile phone users in the world, which suggested that 1.7 billion people were blocking ads by that time.

Now GlobalWebIndex‘s Global Ad-Blocking Behavior report says 47% of us are blocking ads now. It also says, “As a younger and more engaged audience, ad-blockers also are much more likely to be paying subscribers and consumers. Ad-free premium services are especially attractive.” Which is pretty close to Don Marti‘s long-standing claim that readers who protect their privacy are more valuable than readers who don’t.

To get a total ad blocking population from that 47%, one possible source to cite is Internet World Stats:

Note that Internet World Stats appears to be a product of the Miniwatts Marketing Group, whose website is currently a blank WordPress placeholder. But, to be modest about it, their number is lower than Statista’s from 2016: “In 2019 the number of mobile phone users is forecast to reach 4.68 billion.” So let’s run with the lower one, at least for now.

Okay, so if 47% of us are using ad blockers, and Internet World Stats says there were 4,312,982,270 Internet users by the end of last year (that’s mighty precise!), the combined numbers suggest that more than 2,027,101,667 people are now blocking ads worldwide. So, we might generalize, more than two billion people are blocking ads today. Hence the headline above.

Perspective: back in 2015, we were already calling ad blocking The biggest boycott in human history. And that was when the number was just “approaching 200 million.”

More interesting to me is GlobalWebIndex’s breakouts of listed reasons why the people surveyed blocked ads. Three in particular stand out:

  • Ads contain viruses or bugs, 38%
  • Ads might compromise my online privacy, 26%
  • Stop ads being personalized, 22%

The problem here, as I said in the list up top, is that these are measured behaviors. They are sympathies. But they’re still significant, because sympathies sell. That means there are markets here. Opportunities to align incentives.

Part 3: Ad Fraud Researcher

I rely a great deal on Dr. Augustine Fou (@acfou), aka Independent Ad Fraud Researcher, to think and work more deeply and knowingly than I’ve done so far here (or may ever do).

Looking at Part 2 above (in an earlier version of this post), he tweeted, “I dispute these findings. ASKING people if they used an ad blocker in the past month is COMPLETELY inaccurate and inconsistent with people who ACTUALLY USE ad blockers regularly.” Also, “Source: GlobalWebIndex Q3 2018 Base: 93,803 internet users aged 16-64, among which were 42,078 respondents who have used an ad-blocker in the past month”. Then, “Are you going to take numbers extrapolated from 42,078 respondents and extrapolate that to the entire world? that would NOT be OK.” And, “Desktop ad blocking in the U.S. measured directly on sites which humans visit is in the 8 – 19% range. Bots must also be scrubbed because bots do not block ads and will skew ad blocking rates lower, if not removed.”

On that last tweet he points to his own research, published this month.There is lots of data in there, all of it interesting and unbiased. Then he adds, “your point about this being the ‘biggest boycott in human history’ is still valid. But the numbers from that ad blocking study should not be used.”

Part 4: Comscore

Among the many helpful tweets in response to the first draft of this post was this one by Zubair Shafiq (@zubair_shafiq), Assistant Professor of Computer Science at the University of Iowa, where he researches computer networks, security, and privacy. His tweet points to Ad Blockers: Global Prevalence and Impact, by Matthew Malloy, Mark McNamara, Aaron Cahn and Paul Barford, from 2016. Here is one chart among many in the report:

The jive in the Geo row is explained at that link. A degree in statistics will help.

Part 5: Statista

Statista seems serious, but Ad blocking user penetration rate in the United States from 2014 to 2020 is behind a paywall. Still, they do expose this hunk of text: “The statistic presents data on ad blocking user penetration rate in the United States from 2014 to 2020. It was found that 25.2 percent of U.S. internet users blocked ads on their connected devices in 2018. This figure is projected to grow to 27.5 percent in 2020.”

Provisional Conclusions

  1. The number is huge, but we don’t know how huge.
  2. Express doubt about any one large conclusion. Augustine Fou cautions me (and all of us) to look at where the data comes from, why it’s used, and how. In the case of Statista, for example, the data is aggregated from other sources. They don’t do the research themselves. It’s also almost too easy to copy and paste (as I’ve done here) images that might themselves be misleading. The landmark book on misleading statistics—no less relevant today than when it was written in 1954 (and perhaps more relevant than ever)—is How to Lie With Statistics.
  3. Everything is changing. For example, browsers are starting to obsolesce the roles played by ad blocking and tracking protection extensions and add-ons. Brave is the early leader, IMHO. Safari, Firefox and even Chrome are all making moves in this direction. Also check out Ghostery’s Cliqz. For some perspective on how long this is taking, take a look at what I was calling for way back in 2015.
  4. Still, the market is sending a massive message. And that’s what fully matters. The message is this: advertising online has come to have massively negative value.

Ad blocking and tracking protection are legitimate and eloquent messages from demand to supply. By fighting that message, marketing is crapping on most obvious and gigantic clue it has ever seen. And the supply side of the market isn’t just marketers selling stuff. It’s developers who need to start working for the hundreds of millions of customers who have proven their value by using these tools.

« Older entries § Newer entries »