Don’t wait for the government to fix privacy. Any attempt to curtail and reverse the growing power of surveillance capitalism will have to start from us — the people — through grassroots mobilization.
Why?
Institutions in power do not willingly give up their power — it must be wrested from them. And, make no mistake, unilateral control over the collection and processing of personal data is one of the strongest emergent forms of power in the information age. It is the lifeblood of a trillion dollar global industry.
Sometimes a government that serves the people can be trusted do this wresting, assuming the privacy-violating institution is not the government itself. For example, anti-trust regulation can prevent the formation of exploitative corporate monopolies.
Not so when it comes to the protection of personal data. At least not yet.
Why?
It’s an incentives problem. Or rather, an incentive alignment problem. The checks aren’t balanced. Personal data aggregators (e.g., Facebook and Google) are massive economic boons. They create desirable, well-paying jobs. They attract top talent. They also offload the costs of intelligence surveillance to the private sector. Rather than relying only on their own expensive personal data collection pipelines, intelligence agencies can instead subpoena data aggregators for this information.
When government and corporate incentives are aligned, we cannot rely on governments to wrest power from corporations. In fact, we are more likely to see the opposite. I see parallels between the state of digital privacy today and labor in the beginning of the industrial age.
In the early industrial age, powerful and well-funded institutions required (and disproportionately benefited from) the contributions of individual workers. As individuals, these workers had little ability to change the system due to the overwhelming power imbalance between themselves and their employers. Moreover, individual workers had little choice to leave these employers — there were only a few employers, and they all operated similarly. In the early phases of grassroots organization to rebalance power, legal doctrines reinforced the property rights of employers over the ability of employees to organize—indeed, many of the early enforcement actions under the Sherman Antitrust Act of 1890 were used on behalf of employers to break alleged “monopolies” of workers seeking to strike.
In the early information age (i.e., now), powerful and well-funded data aggregators require (and disproportionately benefit from) the contributions of individual users. As individuals, these users have little ability to change the system due to the overwhelming power imbalance between themselves and these data aggregators. Moreover, individual users have little choice to leave these data aggregators — there are only a few, and they all operate similarly. While we are still only beginning to explore grassroots movements seeking to rebalance power, existing legal doctrines are likely to reinforce the property rights of data aggregating institutions over the ability for individuals to, e.g., raise public awareness of the internal surveillance processes of these institutions (e.g., see what happened to Snowden for a poignant example).
Punitive regulatory bodies like the FTC exist. And sometimes they can do damage (e.g., fining Facebook to the tune of $5 billion dollars for the Cambridge Analytica scandal). But the expected punitive damages, to these data aggregators, of doing whatever-the-hell-they-want with your data is miniscule vis-a-vis the expected monetary gains of doing so.
What can we do about it?
While the early phases of grassroots labor mobilization in the Industrial Age did not favor workers, gradually the Progressive era saw progress for worker and consumer protections vis-a-vis large corporations. Collective action by workers was matched with political action on behalf of workers and consumers, such as limited work weeks, pay increases, and the Food and Drug Act of 1906. These Progressive era reforms expanded during the 1930’s, with protections for labor union collective action guaranteed by the Norris-LaGuardia Act of 1930 and the Wagner Act of 1935. One result was greater income equality in the U.S.—scholars have termed the period 1937 to 1947 the “Great Compression,” to describe the sharp fall of income inequality compared to the earlier period of the “Robber Barons.” 1
It was by no means easy. It was by no means quick. But only through grassroots organization was power ultimately wrested from the industrial capitalists.
This will be much harder to replicate for improved digital privacy protections for at least three reasons:
- Privacy threats aren’t visceral; they’re secondary. Consider the fact that when you use a computer, your goal is not to “be private.” Your goal is to find information, share a story, or do work, and you would like to have a veil of privacy in so doing. Most of the time, you are not actively affected by what Google or Facebook are doing with your data. Contrast this with, e.g., the inability to consistently feed your family because you get paid a pittance despite working 80 hours per week. The latter problem is far more visceral. So, unlike laborers at the beginning of the Information Age, it will take a lot more to mobilize people to act in the interest of their own privacy.
- The platforms that facilitate grassroots mobilization may be the same privacy offenders that must be demonstrated against. When you think about the most impactful Internet-facilitated collective action movements, you probably think of things like the Arab spring or the Occupy protests. These movements were facilitated through platforms like Facebook and Twitter — indeed, the unprecedented connective capabilities of these platforms allowed for these movements to rapidly grow and reach critical mass. But therein lies the problem: what if the connective platforms, themselves, are the ones that we are trying to protest against?
- There are vast information asymmetries between data aggregators and the individuals whose data they collect and monetize. Do you know what data Google has collected about you? Do you know what Facebook has inferred about you from your posts and your friends? You may be able to guess, but unless you work for those companies, it is impossible to say with certainty. Until we learn about privacy violations through publicized data breaches, whistleblowers, or investigative journalism, individuals know little about how their data is used, processed and monetized. That makes it hard to make concrete, actionable demands. There is a need for expert stewardship to convert the will of the masses into concrete demands for change and redress. But experts are often embedded within existing systems of power and have little incentive to advocate for sweeping change.
Sure, this will be hard. But it’s the only shot we got. And it can work — we’re already beginning to see the fruits of grassroots collective action to improve consumer privacy protections. The California Consumer Privacy Act (CCPA), for example, became a ballot measure after 600,000 Californians petitioned for it.
In short: Don’t wait for the government to fix privacy. Any attempt to curtail and reverse the growing power of surveillance capitalism will have to start from us — the people — through grassroots mobilization. Pass it on.
Thanks for reading! If you think you or your company could benefit from my expertise, I’d be remiss if I didn’t alert you to the fact that I am an independent consultant and accepting new clients. My expertise spans UX, human-centered cybersecurity and privacy, and data science.
If you read this and thought: “whoah, definitely want to be spammed by that guy”, there are three ways to do it:
- Subscribe to my mailing list (spam frequency: a couple of times a month.)
- Follow me on Twitter (spam frequency: weekly)
- Subscribe to my YouTube channel (spam frequency: ¯\_(ツ)_/¯)
You also can do none of these things, and we will all be fine.
-
I drew some of this text from a pre-publication article I co-authored with Keith Edwards, DeBrae Kennedy-Mayo and Peter Swire at Georgia Tech. ↩