“I’m going to change the system from within,” a university housemate said proudly as she went off to law school. A couple of years later, she was more sanguine: “The pressure on you to conform is so strong that you give in.”
I think of her every time a privacy advocate friend takes a job with a huge data-guzzling firm, always ardently believing their hiring proves that their new employer really cares about privacy. From there, either they become assimilated into defending practices they used to excoriate, or they quit in frustration. Usually, the latter.
It is this experience that Northeastern University professor Ari Ezra Waldman documents in Industry Unbound: The Inside Story of Privacy, Data, and Corporate Power, for which he embedded himself in three (unnamed) companies in order to document how privacy laws play out in real-world practice. From this vantage point, he attends meetings and watches as his chosen companies design and release products, write privacy policies, and brief politicians and lobbyists.
Waldman’s findings in the book, described in a recent talk at the Computers, Privacy, and Data Protection (CPDP) conference, are depressing — especially for those who have spent large parts of their careers ushering data protection and privacy laws into existence.
“An army of foot soldiers, who ironically see themselves as part of the resistance,” is what he calls the legions of privacy professionals on whom Silicon Valley CEOs depend for a privacy-friendly veneer over the manipulation and deception that are endemic in today’s apps and online services.
Information capitalism
Over and over again, Waldman sees engineering and design teams exclude the privacy personnel he watches, while the privacy teams themselves spend enormous effort writing the kinds of policies that none of us want to read. Does their work “performing accountability” eventually result in consumer-friendly changes to products? Well…no. All the impact assessments in the world are insufficient to stop these companies from putting out products that default to “dark patterns” or change the relationship they have built between collecting data and generating profits.
“Information capitalism,” as Waldman calls it, survives the entire process of legal compliance unchanged. It has assimilated the privacy laws and normalised warping the laws’ intent to serve its own interests.
Often, the laws themselves don’t help as much as they should. Vaguely written clauses enable businesses to stay inside the law without really changing their data extraction practices. What’s needed in such cases, Waldman writes in a chapter on how to make changes, is unequivocal bans. No amount of tweaking, for example, will make facial recognition benign, and someone whose life has been damaged by a decision made by an algorithm is not sufficiently protected by a law that gives them the right to understand how the decision was made. In addition, privacy law could learn from other sectors such as securities law, which specifies standards for independent audits and oversight.
No-one wants to blame well-meaning, highly-trained professionals who are doing their best. But, Waldman concludes, the reality is that information capitalism survives in part because of the efforts of today’s privacy professionals. Next time a friend says they’re taking one of those jobs, get them to read Waldman first.
RECENT AND RELATED CONTENT
How to delete your Twitter account and protect your data
The best encryption software: Protect your data
UK privacy watchdog fines Clearview AI £7.5m and orders UK data to be deleted
Murena, the privacy-first Android smartphone, arrives
Meta updates privacy policy with more detail about what data it collects