Pluralistic: EU to Facebook, 'Drop Dead' (07 Dec 2022)

Today's links

A theater proscenium. Over the proscenium, in script, are the words 'Consent Theatre.' On the screen is an image of Mark Zuckerberg standing in front of the words 'Data Privacy.' He is gesturing expansively. A targeting reticle is centered on his face. The reticle is made of the stars from the EU flag.

EU to Facebook, 'Drop Dead' (permalink)

A leak from the European Data Protection Board reveals that the EU's top privacy regulator is about to overrule the Irish Data Protection Commission and declare Facebook's business model illegal, banning surveillance-based ads without explicit consent:

In some ways, this is unsurprising. Since the GDPR's beginning, it's been crystal clear that the intention of the landmark privacy regulation was to extinguish commercial surveillance and ring down the curtain on "consent theater" – the fiction that you "agree" to be spied on by clicking "I agree" or just by landing on a web-page that has a link to some fine-print.

Under the GDPR, the default for data-collection is meaningful consent, meaning that a company that wants to spy on you and then sell or use the data it gathers has to ask you about each piece of data they plan to capture and each use they plan to make of it.

These uses have to be individually enumerated, and the user has to actively opt into giving up each piece of data and into each use of that data. That means that if you're planning to steal 700 pieces of information from me and then use it in 700 ways, you need to ask me 1,400 questions and get a "Yes" to each of them.

What's more, I have to be given a single tickbox at the start of this process that says, "No to all," and then I have to be given access to all the features of the site or service.

The point of this exercise is to reveal consent theater for the sham it is. For all that apologists for commercial surveillance insist that "people like ads, so long as they're well-targeted" and "the fact that people use high-surveillance services like Facebook shows a 'revealed preference' for being spied on," we all know that no one likes surveillance.

There's empirical proof of this! When Apple added one-click tracker opt-out on its Ios platform, 96% of users opted out, costing Facebook more than $10b in the first year (talk about a 'revealed preference!') (of course, Apple only opted those users out of tracking by its rivals, and secretly continued highly invasive, nonconsenual tracking of its customers):

Properly enforced, the GDPR would have upended the order of the digital world: any argument about surveillance between product managers at a digital firm would have been settled in favor of privacy, because the pro-privacy side could argue that no one would give consent, and the very act of asking would scare off lots of users.

But the GDPR wasn't properly enforced, thanks to structural problems with European federalism itself. The first line of GDPR enforcement came from privacy regulators in whatever country a privacy-violator called home. That meant that when Big Tech companies violated the GDPR, they'd have to account for themselves to the privacy regulator in Ireland.

For multinational corporations, Ireland is what old-time con-artists used to call a "made town," where the cop on the beat is in on the side of the criminals. Ireland's decision to transform itself into a tax haven means that it can't afford to upset the corporations that fly Irish flags of convenience and maintain the pretense that all their profits are floating in a state of untaxable grace in the Irish Sea.

That's because there are plenty of other EU countries that compete with Ireland in the international race to the bottom on corporate governance: Malta, Luxembourg, the Netherlands, Cyprus, etc (and of course, there's post-Brexit UK, where the plan is to create an unregulated haven for the worst, wealthiest companies in the world).

All this means that seeking Irish justice from a corporation that wronged you is like asking a court in Moscow to punish an oligarch's commercial empire on your behalf. Irish regulators are either "dingo babysitters" (guards in league with the guarded) or resource-starved into ineffectual torpor.

That's how Facebook got away with violating the GDPR for so many years. The company hid behind the laughable fairy-tale that it didn't need our consent to spy on us because it had a "legitimate purpose" for its surveillance, namely, that it was contractually obliged to spy on us thanks to the "agreement" we clicked on when we signed up for the service.

That is, you and Facebook had entered into a contract whereby Facebook promised you that it would spy on you, and if it didn't spy on you, it would be violating that promise.




But while the GDPR has a structural weakness – allowing corporations to choose to be regulated in countries that can't afford to piss them off – it also has a key strength: the private right of action, that is, the right of individuals to sue companies that violate the law, rather than having to convince a public prosecutor to take up their case.

The private right of action is vital to any privacy regulation, which is why companies fight it so hard. Whenever a privacy bill with a private right of action comes up, they tell scare-stories about "ambulance chasers" who'll "clog up the system," trotting out urban legends like the McDonald's Hot Coffee story:

But here we are, in the last days of 2022, and the private right of action is about to do what the Irish regulators wouldn't do: force Facebook to obey the law. For that, we can thank Max Schrems and the nonprofit he founded, noyb.

Schrems, you may recall, is the Austrian activist, who, as a Stanford law student, realized that EU law barred American tech companies from sending their surveillance data on Europeans to US data-centers, which the NSA and other spy agencies treated as an arm of their own surveillance projects:

Schrems brought a case against the Irish regulator to the EU's top privacy authority, arguing that it had failed its duty by ruling that Facebook's "contractual obligation" excuse held water. According to the leaked report, Schrems has succeeded, which means, once again, Facebook's business model is illegal.

Facebook will doubtless appeal, but the writing is on the wall here: it's the end of the line for surveillance advertising in Europe, an affluent territory with 500m+ residents. This decision will doubtless give a tailwind to other important privacy cases in the EU, like Johnny Ryan's case against the ad-tech consortium IAB over its "audience taxonomy" codes:

It's also likely good news for Schrems' other ongoing cases, like the one he's brought against Google:

Facebook has repeatedly threatened to leave the EU if it is required to stop breaking the law:

This is a pretty implausible threat, growing less plausible by the day. The company keeps delivering bad news to investors, who are not mollified by Mark Zuckerberg's promise to rescue the company by convincing all of humanity to spend the rest of their lives as highly surveilled, legless, sexless, low-polygon cartoon characters:

Zuckerberg and his entire senior team have seen their net worth plummet with Meta's share price, and that means the company needs to pay engineers with actual dollars, rather than promises of shares, which kills the massive wage-bill discount the company has enjoyed. This is not a company that can afford to walk away from Europe!

Between Apple's mobile (third-party) tracker-blocking and the EU calling time on surveillance ads, things are looking grim for Facebook. You love to see it! But things could get even worse, and soon, thanks to the double-edged sword of "network effects."

Facebook is a network effects business: people join the service to socialize with the people who are already there – then more people join to socialize with them. But what network effects give, they can also take away: a service that gets more valuable when a new user signs up loses value when that user leaves.

This is beautifully explained in danah boyd's "What if failure is the plan?" which recounts boyd's experiences watching MySpace unravel as key nodes in its social graph disappeared when users quit: "Failure of social media sites tends to be slow then fast":

Facebook long understood this, which is why it spent years creating artificial "switching costs" – penalties it could impose on users who quit, such as the loss of their family photos:

This is why Facebook and other tech giants are so scared of interoperability, and why they are so furious about the new EU Digital Markets Act (DMA), which will force them to allow new services to connect to their platforms, so that users who quit Big Tech won't have to lose their friends or data:

An interoperable Facebook would make it easy to leave social media by removing the penalties Facebook imposes on its disloyal users, and the EU's privacy framework means that when they flee to a smaller safe haven, they won't have to worry about commercial surveillance:

But what about advertising-supported media? Sure, being spied on sucks, but a subscription-first media landscape is a world where "the truth is paywalled, but the lies are free":

Ironically, killing surveillance ads is good news for ad-driven media. Surveillance-based ad-targeting is nowhere near as effective as Google, Facebook and the other ad-tech companies claim (these companies are compulsive liars, it would be amazing if the only time they told the truth is when they were boasting about their products!):

And consent-theater or no, targeted ads reach fewer users every day, thanks to ad- blockers, AKA, "the biggest boycott in world history":

And when a publisher does manage to display a targeted ad, they get screwed. The Googbook dupololy is a crooked affair, with the two tech companies illegally colluding (via the Jedi Blue conspiracy) to divert money from publishers to their own pockets:

Targeted ads are a cesspit of ad-fraud. 15% of all ad revenues are just unaccounted for:

The remaining funds aren't any more trustworthy. Ad-tech is a bezzle ("the magic interval when a confidence trickster knows he has the money he has appropriated but the victim does not yet understand that he has lost it"):

As Tim Hwang foretold in his essential Subprime Attention Crisis, the pretense that targeted ads are wildly effective has been slowly but surely losing ground to the wider awareness of the fraud behind the system, and a reckoning is at hand:

Experiments with contextual ads (ads based on the content of the page you're looking at, not on your behavior and demographics) have found them to about as effective in generated clicks and sales as surveillance ads.

But this is misleading. Contextual ads don't require consent opt-in (because they're not based on your data) and they don't drive users to install blockers the way creepy surveillance ads do, so lots more people will see a contextual ad than a surveillance one. Thus, even if contextual ads generate slightly less money per reader or viewer, they generate far more money overall, because they are aren't blocked.

Even better for publishers: contextual ads don't erode their own rate cards. Today, when you visit a high-quality publisher like the Washington Post, many ad brokers bid to show you an ad, but only one wins the auction. However, all the others have tagged you as a "Washington Post reader," and they can sell that to bottom-feeder junk sites. That is, they can collude with Tabooleh or its rivals to offer advertisers a chance to advertise to Post readers at a fraction of what the Post charges. Lather, rinse, repeat, and the Post's own ad revenues are drained.

This doesn't apply with contextual ads. Indeed, none of the tech giants' much-vaunted "data advantage" – the largely overstated value of knowing what you did online 10 or 20 years ago, the belief in which keeps new companies out of the market – applies to context ads:

The transformative power of banning surveillance advertising goes beyond merely protecting our privacy. It also largely answers the case for "link taxes" (pseudo-copyright systems that let giant media companies decide who can link to them and charge for the privilege).

The underlying case for link taxes, snippet taxes, etc, is that Big Tech is stealing the news media's content (by letting their users talk about and quote the news), when the reality is that Big Tech is stealing their money (through ad-fraud):

Unrigging the ad-tech market is a much better policy than establishing a link-tax, like the Democrats are poised to do with their Journalism Competition and Preservation Act (JCPA):

It's easy to understand why the monopoly/private-equity-dominated news industry wants JCPA, rather than a clean ad market. The JCPA just imposes a tax on the crooked ad-tech giants that is paid to the largest media companies, while a fair ad market would reward the media outlets that invested most in news (and thus in expensive, unionized news-gathering reporters).

Indeed, the JCPA only works if the ad-tech market remains corrupt: the excess Big Tech rents that Big News wants to claim here are the product of a rigged system. Unrig the system and there won't be any money to pay the link tax with.

(Image: Anthony Quintano, CC BY 2.0, modified)

Hey look at this (permalink)

This day in history (permalink)

#20yrsago EFF comments on the Broadcast Flag

#20yrsago Will compulsory licenses save P2P? levy.pdf

#20yrsago SUVs are not healthy for children and other living things

#10yrsago Canadian Conservative govt guts protections for 99+% of waterways, spare handful of lakes with high-cost cottages

#10yrsago GOP fires author of copyright reform paper

#10yrsago Meet the new Nintendo DRM, same as the old Nintendo DRM (but stupider)

#10yrsago Citigroup leads finance world in bullshit-generating capacity

#5yrsago Russian Orthodox Patriarch announces church-government inquiry to prove that the Tsar was killed in 1917 as part of a Jewish ritual

#5yrsago Investigation into emergency rooms shows that for-profit hospitals engage in billions in price-gouging

#5yrsago Sanders, vindicated: Senior Democrats say the GOP’s tax-plan has started a class war, and they’re going to fight back on those terms

#5yrsago The father of the most hostile piece of street furniture in world history explains why he thinks he’s right to make life harder for homeless people and socializing kids

#5yrsago Understanding attorney-client privilege with Donald Trump Jr and Ken “Popehat” White

#5yrsago A free sf anthology about space travel, inequality, equity and public policy: Kim Stanley Robinson, Madeline Ashby, Eileen Gun, Ramez Naam, Steven Barnes, Karl Schroeder and more!

#1yrago A lexicon of euphemisms for "corporate crime"

#1yrago IP lawyers weaponize trade secrecy to stall vaccine waivers

Colophon (permalink)

Currently writing:

  • The Bezzle, a Martin Hench noir thriller novel about the prison-tech industry. FIRST DRAFT COMPLETE, WAITING FOR EDITORIAL REVIEW

  • Picks and Shovels, a Martin Hench noir thriller about the heroic era of the PC. (92849 words total) – ON PAUSE

  • A Little Brother short story about DIY insulin PLANNING

  • The Bezzle, a Martin Hench noir thriller novel about the prison-tech industry. FIRST DRAFT COMPLETE, WAITING FOR EDITORIAL REVIEW

  • The Internet Con: How to Seize the Means of Computation, a nonfiction book about interoperability for Verso. FIRST DRAFT COMPLETE, WAITING FOR EDITORIAL REVIEW

  • Vigilant, Little Brother short story about remote invigilation. FIRST DRAFT COMPLETE, WAITING FOR EXPERT REVIEW

  • Moral Hazard, a short story for MIT Tech Review's 12 Tomorrows. FIRST DRAFT COMPLETE, ACCEPTED FOR PUBLICATION

  • Spill, a Little Brother short story about pipeline protests. FINAL DRAFT COMPLETE

  • A post-GND utopian novel, "The Lost Cause." FINISHED

  • A cyberpunk noir thriller novel, "Red Team Blues." FINISHED

Currently reading: Analogia by George Dyson.

Latest podcast: Sound Money

Upcoming appearances:

Recent appearances:

Latest books:

Upcoming books:

  • Red Team Blues: "A grabby, compulsive thriller that will leave you knowing more about how the world works than you did before." Tor Books, April 2023

This work licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.

How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Newsletter (no ads, tracking, or data-collection):

Mastodon (no ads, tracking, or data-collection):

Medium (no ads, paywalled):

(Latest Medium column: "Yes, It’s Censorship: Stop picking that nit, it’ll never heal"

Twitter (mass-scale, unrestricted, third-party surveillance and advertising):

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla