Data Privacy Year
Today is Data Privacy Day, known in Europe as Data Protection Day.
It's not new. Though created in 2006, it commemorates the Council of Europe treaty creating "the first binding international instrument which protects the individual against abuses which may accompany the collection and processing of personal data and which seeks to regulate at the same time the transfrontier flow of personal data." The treaty was signed on January 28, 1981, a date when the ancestors of today's PCs were still in the wombs of IBM and Apple. Hats off to Eurocrats who were decades ahead of a problem that's worse than ever.
Clearly, a day isn't enough—not when most humans are still naked as newborns in the digital world, and not much better equipped to protect and project their privacy there.
See, like nature in the physical world, the digital world came without privacy. But while we've had millennia to make privacy meaningful in the physical world, we've had only a few decades here in the virtual one where you're reading this now. And so far we've failed.
Sure, most of us alpha geeks are adept at guarding our private lives and spaces in the digital world, but let's face it, that world is a jungle where the apex predators are vampires living off the blood of personal data, and the sum of victims rounds to everybody.
So, although we salute the organizations celebrating this day, we are looking instead at the gigantic pile of work to be done before humans begin to enjoy the same degrees of personal privacy online as they've had in the offline world since the invention of clothing and shelter.
That work is the job of the world's hackers, which is us. And that's why we're declaring 2019 Data Privacy Year. Because a year should be enough at least to start making real progress toward personal data privacy online.
It should help to know two things:
1) Laws alone won't give us personal privacy online, especially when the GDPR, the most far-reaching privacy law in our time, has thus far resulted in far more annoyance than change, manifesting absurdities such as cookie notices on websites that mean about as much as one of these on the front door of your house:
2) If your privacy is up to the good manners of sites and services on the internet, you don't have any. For example, "notice and consent"—the prevailing method for obtaining "consent" that's used by approximately the entire commercial web (and mocked in the image above)—is worse than broken. Among other failings, it requires operational and cognitive overhead so high for everybody that it simply can't work. You can visit that overhead in the ad choices system, which puts little blue icons in the corners of ads everywhere. That link says the system is about "your" ad choices, but overwhelms your mind by presenting as many different rosters of third-party advertising companies (most of which you've never heard of and know nothing about) for you to "control" as there are ads that display the icon. And then it gives you hardly any way at all to manage those choices across your own devices or to monitor their compliance in any way. It's all up to them, and their business is still about sucking your data blood.
We need tools of our own. Personal tools. Ones that go beyond prophylaxis. Ones that let us operate as first parties, so we can proffer terms that sites and services can accept, rather than the other way around. Ones that give us ways to signal what's okay and what's not okay in respect to our privacy.
To guide that work, we've published a Privacy Manifesto on the home site of our parent company, London Trust Media, and a draft of future revisions on the ProjectVRM wiki, which I've maintained for more than 12 years and has contributions from a large list of participants, which you're free to join. A constantly changing list of developments toward personal privacy protection is on the developments page of that wiki as well.
So we're not starting at zero here, but we have a lot to do. Let's do it. And then let's see how far we've come by Data Privacy Day, 2020.