Pluralistic: Privacy first (06 Dec 2023)

Today's links

A hospital room with a hospital bed. The patient in the bed is wearing some kind of red mind-control helmet with a red cord snaking away to a switchplate on the wall. He is grimacing and clutching his sheets. A breakway wall shows a caricature of Uncle Sam whose legs stick out to suggest a horseshoe magnet. His face has been replaced with the glowing red eye of HAL9000 from Kubrick's '2001: A Space Odyssey.' Behind him is a 'code waterfall' as seen in the credit sequences of the Wachowskis' 'Matrix' movies.

Privacy first (permalink)

The internet is embroiled in a vicious polycrisis: child safety, surveillance, discrimination, disinformation, polarization, monopoly, journalism collapse – not only have we failed to agree on what to do about these, there's not even a consensus that all of these are problems.

But in a new whitepaper, my EFF colleagues Corynne McSherry, Mario Trujillo, Cindy Cohn and Thorin Klosowski advance an exciting proposal that slices cleanly through this Gordian knot, which they call "Privacy First":

Here's the "Privacy First" pitch: whatever is going on with all of the problems of the internet, all of these problems are made worse by commercial surveillance.

  • Worried your kid is being made miserable through targeted ads? No surveillance, no targeting.

  • Worried your uncle was turned into a Qanon by targeted disinformation? No surveillance, no targeting. Worried that racialized people are being targeted for discriminatory hiring or lending by algorithms? No surveillance, no targeting.

  • Worried that nation-state actors are exploiting surveillance data to attack elections, politicians, or civil servants? No surveillance, no surveillance data.

  • Worried that AI is being trained on your personal data? No surveillance, no training data.

  • Worried that the news is being killed by monopolists who exploit the advantage conferred by surveillance ads to cream 51% off every ad-dollar? No surveillance, no surveillance ads.

  • Worried that social media giants maintain their monopolies by filling up commercial moats with surveillance data? No surveillance, no surveillance moat.

The fact that commercial surveillance hurts so many groups of people in so many ways is terrible, of course, but it's also an amazing opportunity. Thus far, the individual constituencies for, say, saving the news or protecting kids have not been sufficient to change the way these big platforms work. But when you add up all the groups whose most urgent cause would be significantly improved by comprehensive federal privacy law, vigorously enforced, you get an unstoppable coalition.

America is decades behind on privacy. The last really big, broadly applicable privacy law we passed was a law banning video-store clerks from leaking your porn-rental habits to the press (Congress was worried about their own rental histories after a Supreme Court nominee's movie habits were published in the Washington City Paper):

In the decades since, we've gotten laws that poke around the edges of privacy, like HIPAA (for health) and COPPA (data on under-13s). Both laws are riddled with loopholes and neither is vigorously enforced:

Privacy First starts with the idea of passing a fit-for-purpose, 21st century privacy law with real enforcement teeth (a private right of action, which lets contingency lawyers sue on your behalf for a share of the winnings):

Here's what should be in that law:

  • A ban on surveillance advertising:

  • Data minimization: a prohibition on collecting or processing your data beyond what is strictly necessary to deliver the service you're seeking.

  • Strong opt-in: None of the consent theater click-throughs we suffer through today. If you don't give informed, voluntary, specific opt-in consent, the service can't collect your data. Ignoring a cookie click-through is not consent, so you can just bypass popups and know you won't be spied on.

  • No preemption. The commercial surveillance industry hates strong state privacy laws like the Illinois biometrics law, and they are hoping that a federal law will pre-empt all those state laws. Federal privacy law should be the floor on privacy nationwide – not the ceiling:

  • No arbitration. Your right to sue for violations of your privacy shouldn't be waivable in a clickthrough agreement:

  • No "pay for privacy." Privacy is not a luxury good. Everyone deserves privacy, and the people who can least afford to buy private alternatives are most vulnerable to privacy abuses:

  • No tricks. Getting "consent" with confusing UIs and tiny fine print doesn't count:

A Privacy First approach doesn't merely help all the people harmed by surveillance, it also prevents the collateral damage that today's leading proposals create. For example, laws requiring services to force their users to prove their age ("to protect the kids") are a privacy nightmare. They're also unconstitutional and keep getting struck down.

A better way to improve the kid safety of the internet is to ban surveillance. A surveillance ban doesn't have the foreseeable abuses of a law like KOSA (the Kids Online Safety Act), like bans on information about trans healthcare, medication abortions, or banned books:

When it comes to the news, banning surveillance advertising would pave the way for a shift to contextual ads (ads based on what you're looking at, not who you are). That switch would change the balance of power between news organizations and tech platforms – no media company will ever know as much about their readers as Google or Facebook do, but no tech company will ever know as much about a news outlet's content as the publisher does:

This is a much better approach than the profit-sharing arrangements that are being trialed in Australia, Canada and France (these are sometimes called "News Bargaining Codes" or "Link Taxes"). Funding the news by guaranteeing it a share of Big Tech's profits makes the news into partisans for that profit – not the Big Tech watchdogs we need them to be. When Torstar, Canada's largest news publisher, struck a profit-sharing deal with Google, they killed their longrunning, excellent investigative "Defanging Big Tech" series.

A privacy law would also protect access to healthcare, especially in the post-Roe era, when Big Tech surveillance data is being used to target people who visit abortion clinics or secure medication abortions. It would end the practice of employers forcing workers to wear health-monitoring gadgets. This is characterized as a "voluntary" way to get a "discount" on health insurance – but in practice, it's a way of punishing workers who refuse to let their bosses know about their sleep, fertility, and movements.

A privacy law would protect marginalized people from all kinds of digital discrimination, from unfair hiring to unfair lending to unfair renting. The commercial surveillance industry shovels endless quantities of our personal information into the furnaces that fuel these practices. A privacy law shuts off the fuel supply:

There are plenty of ways that AI will make our lives worse, but copyright won't fix it. For issues of labor exploitation (especially of creative workers), the answer lies in labor law:

And for many of AI's other harms, a muscular privacy law would starve AI of some of its most potentially toxic training data:

Meanwhile, if you're worried about foreign governments targeting Americans – officials, military, or just plain folks – a privacy law would cut off one of their most prolific and damaging source of information. All those lawmakers trying to ban Tiktok because it's a surveillance tool? What about banning surveillance, instead?

Monopolies and surveillance go together like peanut butter and chocolate. Some of the biggest tech empires were built on mountains of nonconsensually harvested private data – and they use that data to defend their monopolies. Legal privacy guarantees are a necessary precursor to data portability and interoperability:

Once we are guaranteed a right to privacy, lawmakers and regulators can order tech giants to tear down their walled gardens, rather than relying on tech companies to (selectively) defend our privacy:

The point here isn't that privacy fixes all the internet's woes. The policy is "privacy first," not "just privacy." When it comes to making a new, good internet, there's plenty of room for labor law, civil rights legislation, antitrust, and other legal regimes. But privacy has the biggest constituency, gets us the most bang for the buck, and has the fewest harmful side-effects. It's a policy we can all agree on, even if we don't agree on much else. It's a coalition in potentia that would be unstoppable in reality. Privacy first! Then – everything else!

(Image: Cryteria, CC BY 3.0, modified)

Hey look at this (permalink)

A Wayback Machine banner.

This day in history (permalink)

#20yrsago Walt Disney’s FBI files

#20yrsago Ska-anthem about duct tape

#15yrsago Britain’s “Great Firewall” set to restrict access to Wikipedia

#15yrsago Workers in Argentina taking over dead factories and running them democratically

#10yrsago rWhat Nelson Mandela’s life tells us about the legitimacy of “democratic nations”

#10yrsago Medieval kids’ birch-bark doodles

#10yrsago Botnet of 20,000 point-of-sale machines

#5yrsago Jamie Dimon is getting fed up with the protesters who “occupy” him everywhere he goes

#5yrsago Wells Fargo blames “computer glitch” for its improper foreclosure on 545 homes

#5yrsago The third annual AI Now report: 10 more ways to make AI safe for human flourishing

#5yrsago Europe’s biggest sports leagues and movie studios disavow #Article13, say it will give #BigTech even more control

#5yrsago On January 1, America gets its public domain back: join us at the Internet Archive on Jan 25 to celebrate

Colophon (permalink)

Today's top sources: Slashdot (

Currently writing:

  • A Little Brother short story about DIY insulin PLANNING

  • Picks and Shovels, a Martin Hench noir thriller about the heroic era of the PC. FORTHCOMING TOR BOOKS JAN 2025

  • The Bezzle, a Martin Hench noir thriller novel about the prison-tech industry. FORTHCOMING TOR BOOKS FEB 2024

  • Vigilant, Little Brother short story about remote invigilation. FORTHCOMING ON TOR.COM

  • Spill, a Little Brother short story about pipeline protests. FORTHCOMING ON TOR.COM

Latest podcast: Don’t Be Evil
Upcoming appearances:

Recent appearances:

Latest books:

Upcoming books:

  • The Bezzle: a sequel to "Red Team Blues," about prison-tech and other grifts, Tor Books, February 2024

  • Picks and Shovels: a sequel to "Red Team Blues," about the heroic era of the PC, Tor Books, February 2025

  • Unauthorized Bread: a graphic novel adapted from my novella about refugees, toasters and DRM, FirstSecond, 2025

This work – excluding any serialized fiction – is licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.

How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Newsletter (no ads, tracking, or data-collection):

Mastodon (no ads, tracking, or data-collection):

Medium (no ads, paywalled):

Twitter (mass-scale, unrestricted, third-party surveillance and advertising):

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla