Informed Consent and Privacy

John Gruber, in 2020:

Just because there is now a multi-billion-dollar industry based on the abject betrayal of our privacy doesn’t mean the sociopaths who built it have any right whatsoever to continue getting away with it. They talk in circles but their argument boils down to entitlement: they think our privacy is theirs for the taking because they’ve been getting away with taking it without our knowledge, and it is valuable. No action Apple can take against the tracking industry is too strong.

Ian Betteridge contrasted this view against one of Gruber’s recent articles, in which his stance appears to have softened on the seriousness of tracking:

I wonder what happened to turn John’s attitude from “no action Apple can take against the tracking industry is too strong” to defending Facebook’s “right” to choose how it invades people’s privacy? Or is he suggesting that a private company is entitled to defend people’s privacy, but governments are not?

To put it another way, should people have an expectation of how private information is used and collected, or should that be wildly different depending on which companies they interact with? Is the status quo of handling private data in the U.S. the optimal legal balance?

John Gruber, responding:

I’ve seen a bit of pushback along this line recently, more or less asking: How come I was against Meta’s tracking but now seem for it? I don’t see any contradiction or change in my position though. The only thing I’d change in the 2020 piece Betteridge quotes is this sentence, which Betteridge emphasizes: “No action Apple can take against the tracking industry is too strong.” I should have inserted an adjective before “tracking” — it’s non-consensual tracking I object to, especially tracking that’s downright surreptitious. Not tracking in and of itself.

Given my review of Byron Tau’s new book, you might expect me to wholly disagree with the idea that anyone can provide consent. I do not — in theory. But in practice and in most circumstances right now, it probably is impossible for users to provide meaningful consent to all of the digital products and services they use.

Consider what full informed consent looks like for Facebook — and just Facebook. One would need to indicate they have read and understood each section of its simplified privacy policy, not just tick the blanket “I Agree” box, or permit it using the App Tracking Transparency dialog. Facebook should show exactly what it is collecting and how it is using this information. Every time a policy changes, Facebook should get an affirmative agreement, too, from each user; none of this by continuing to use the product, you indicate your agreement nonsense.

And this is just Facebook. Imagine that across all your accounts everywhere. We have a taste of that on the web with cookie consent panels, and on iOS with the myriad dialogs thrown by app features like accessing your contacts. A typical camera app will likely ask you for four different permissions out of the gate: camera, microphone, photo library, and location access. Adding yet more consents and dialog boxes is hardly an effective solution.

Meta is probably one of the more agreeable players in this racket, too. It hoards data; it does not share much of it. And it has a brand to protect. Data brokers are far worse because nobody knows who they are or what they collect, share, and merge. Scale the informed consent model above across all data brokers you interact with, in each app or website you use. As an example, Het Laatste Nieuws, a popular Dutch-language news site in Belgium, shows in its cookie consent dialog it has over one hundred advertising partners, among the lowest numbers I have seen. (For comparison, Le Monde has over five hundred.) True consent requires you to understand those privacy policies, too. What does Nexxen collect? Which other websites, apps, or products do you use which also partner with Nexxen? Can you find Nexxen in HLN’s partner list? (Probably not — the privacy policies for the first three advertisers I was going to use as an example in that sentence returned 404 errors, and I only found Nexxen because I clicked on the policy for Unruly, which rebranded last year.)

This is a mess from the perspective of users and site operators. A core principle of informed consent is an understanding of risk. Are people presented with adequate information about the risks of accepting tracking? No, not really. Meanwhile, website owners do not want to interrupt visitors with cookie consent forms; they want to interrupt them with email newsletter sign-up forms. Nobody wants to manage a vast database of specific consent agreements.

Gruber is reacting to a draft decision (PDF) by the European Data Protection Board — specifically:

It has to be concluded that, in most cases, it will not be possible for large online platforms to comply with the requirements for valid consent if they confront users only with a binary choice between consenting to processing of personal data for behavioural advertising purposes and paying a fee.

The EDPB’s justification for this is based largely on similar arguments to those I have made above, though it limits the scope of this decision to platforms of gatekeeper scale for similar interconnected rationales as it has used to define those platforms’ unique responsibilities. Interestingly, the EDPB says the mere existence of a fee at all is enough to question whether there is a truly free choice when a no-cost option is also available. It seems to want a third way: no behaviourally informed advertising, at no financial cost to users.

I am not sure there is a good reason to limit to gatekeepers restrictions regarding the use of behavioural advertising. There need to be stricter controls around tracking so that users may have informed consent, regardless of whether it is a corporate behemoth, a news publisher, or a weather app. If we want informed consent, we should have it, but the status quo is a poor excuse for truly informed, truly free consent.