The Whitehouse can close the Barn Door but the horse bolted

15th March 2024

At the end of February 2024 the Whitehouse issued an executive order to ban the sale of sensitive personal data to "Countries of concern."

I feel that this is too little too late, on the internet your data, including your sensitive, private data has been on sale for years. The barn door's been open since the beginning. The internet was created as a communication medium. Privacy and encryption has been bolted on. Then surveillance capitalism coaxed us out to use their walled gardens. To collect up every morsel of data about us to sell to the highest bidder.

Your browsing data for sale.

Americans may be surprised that their data is for sale. They may even be surprised that it's not just the data they consciously give to companies, but their metadata as well. What you browse, what your age is, who you are connected to and more is metadata. All of this data is a commodity. We've been objectified and reduced to that data. We have data profiles created from this. A virtual double, a sort of a digital poppet like from the old days of superstition. But unlike in those times, our poppets can be used to manipulate us. They can be used to harass us and others. Those digital poppets can be used against us.

It's one of the main tenets of Surveillance Capitalism. "If you aren't paying for the service, you are the product." However, even that isn't true. Sometimes you pay for a service and the data you provide them is collected, and access to that data is sold to other organizations within the US but also to foreign organizations. Our social networks are global.

Facebook and Google are the kings of collecting your data to use in their networks. The personal data funnel does not stop there, hardware manufacturers of our smart consumer electronics also collect your usage data and "phone home" with it. We've been gas-lit into thinking that because we are the product we must pay with our privacy. People have a limited understanding of what is collected and what it means.

However if you have had a weirdly creepy advertisement follow you around in your browsing on News sites, and elsewhere then perhaps you have an idea.

We've funded our social networks on advertising dollars, yes, but the real money is in your data. Both the obvious demographic data and your metadata. Since 2013 we've had an idea that tech companies collect our data and government agencies can access that data from PRISM and the Snowden Revelations. The Cambridge Analytica scandal also illustrated the fact that Facebook sold access to that data and targeted advertising at the people on those networks. However while Cambridge Analytica may be gone, the people behind it and the companies and governments using that data are still around.

Big Tech has manufactured consent to collect and use their customer's data. It is not in my view true consent. Most people never read the terms and conditions. So how can they consent? They can not consent to third parties and fourth parties down the line using their private data for anything.

The networks don't just advertise to you they collect data on you. Your browsing habits, your name, your age, and your demographics are very useful data to target you. With these networks and the aggregation of your data, there are data profiles of you so that advertisers can micro-target specific adverts at you.

That data can then be sold via data brokers to other Organisations in the US and abroad.

Consequences for Democracy

Technical companies have a very large corpus of collected data. Which has grave implications for Democracy. We saw with the revelations of 5 Eyes, PRISM, and Palintir that all kinds of data can be collected and stored. Even the DNA sample you put into a company like 23 and Me is data. When a company goes bust, or worse hacked that data is still valuable, it can be sold.
[1],[2],[3],[4]

With the historical context of Cambridge Analytica and the adverts aimed at voters across networks like Facebook, the Whitehouse is doing too little too late. That data has been weaponized against groups like the Rohingya in Myanmar as people became radicalized on Facebook, which helped to cause a Genocide in Myanmar. Erin Kissane wrote a really good series detailing Meta's failures to moderate content or take any responsibility for the algorithm of its content feed. Meta's bread and butter isn't us using its network to share cat photos. It's market is selling access to us and our data. To advertise at us and push misinformation to radicalise us. Turning us into digital poppets, to provide a dataset for tools to destabilise democracies and enable hate speech. To whip up our outrage and affect our opinions of each other and what we should vote for. [5]

Big Tech has learned nothing from its dealing with various corrupt governments around the world. It's happy to do business with them. The Whitehouse is posturing while it should be considering the privacy of its US citizens. But then Government agencies in the US benefit from the collection of citizens' private data and phone calls and has for two decades. The USA Patriot Act expired in 2020, but most agencies retain the authorities granted. [6]

Last year we saw a similar weaponization of micro-targeting ads by the EU, as it targeted a specific demographic to prop up support for its chat control legislation. Which would have enabled some surveillance of people's messages by breaking end-to-end encryption on chat applications. [7]

Chat control would have had further effects on many products that use encryption. People cannot escape politics, any more than they can escape tech to function in our society. Many activists have worked hard to try to bring that information and the ramifications of legislation like this to the general public.

Folks in the US should be worried as well, similar legislation is being proposed in a few states. Framed as a way to "Protect the Children" with flawed CSAM detecting mechanisms. It's a dragnet to collect data to place the blame later. Which law enforcement pays for access to, although it doesn't need that access. Take the example of the January 6th rioters. Many of them were caught due to their phone location data around the Capitol and their social network posts.

There's a US Election this November for the President of the United States. Our personal data being sold is a risk to democracy. But the Whitehouse is very naive to think that their enemies don't already have access to some of that data. Our Technical economy is built on big Data and what you can do with it.

Really the answer should be, don't sell on that data without Opt-in permission. But even then, there's a consent issue with this. States in the US would be wise to consider creating similar laws to the GDPR to limit the collection of data with Opt-in rather than opt-out.

Will the executive order work? What about AI?

Much like many things when it comes to geopolitical policy. It's security theatre. US companies and EU companies can't sell services or goods to countries with sanctions on them. So what counts as a "Country of Concern?" There is nothing to stop an international data broker from acting as a middleman. Although even then Sanctioned countries like Russia can still gain access to sensitive data via illegal means. Many organisations are careless with how they secure data. [1],[2],[3]

Data leaks. AI Companies utilising Large Language Models (LLM) do want to scrape up and buy data. It is another thing done to consumers without their express consent. We do not yet have legislation to demand transparency on where that data comes from. LLMs also are a black box. We don't know how that limited programmed intelligence produces its output.

I'm more concerned with the prevailing attitude in tech that it can do what it likes with our data and it doesn't feel it has to ask us. If anything the default is that you have to opt out of their processing of your data. Which is predatory behaviour as people need to know that they can opt out and the procedure for it needs to be simple, clear and concise. People also need to be able to trust that their data isn't going to be sold on.

LLMs are a distraction from the main concern. Which is the mass collection and processing of data without consumers' explicit consent. This disregard of consent isn't just an issue with Big Tech, it's happening across our democracies.

Big Tech moved fast and didn't just break our information flows and communications. They broke democracy, by enabling this with very little transparency or oversight in the name of "Safety."

What can we do about our data being sold?

It can seem hopeless to do anything about it.

On an individual level, you can limit the damage. It does take work and a little education. But you can limit what is collected about you. It's also important to help others in your family as well. Including those folks who aren't online yet.

For the data that has already been collected, as an individual it will depend on where in the world you live. If you live in the US, particularly in California you can and should send an Opt-Out request. If you have dealings with an EU company you do have rights under the GDPR to find out what that data is and you can ask them to remove that data. [8],[9]

If you can, resist purchasing smart electrical products. With your smartphone and computers, consider using Firefox and the ublock add-on. You can also consider browsing using the Tor network. Other useful privacy extensions are Privacy Badger and Consent-O-Matic which deals with a lot of advertising cookie consent dialogues. You can set it to reject all. [10],[11],[12],[13]

While I recommend not using networks like Facebook/Instagram or products by Google. It does take work to leave these systems and to learn to use the alternatives. Our lives and our families' lives are organised using these tools. [18]

Companies like Framasoft provide alternatives and hosting options via the CHATONs networks. The EU is investing in Open Source Projects that create alternative networks. [15],[16], [20]

But these are technical solutions for individuals. There are lobbying organisations that you can join. They cover in more detail the risks to our privacy and Human Rights. The EFF and EPIC are both organisations focused on digital rights and privacy. [17], [14]

People should also consider putting pressure on their elected representatives. Because politicians do often have a blind spot when it comes to "Solutions" coming from Big Tech, that will collect data. So more oversight and briefing from outside the traditional lobbying firms needs to be done to help Politicians understand the ramifications of tech.

Otherwise, Big Tech won't just move fast and break other democracies elsewhere. They will shatter an already fragile American Democracy.

[1]https://en.wikipedia.org/wiki/List_of_data_breaches

[2]https://www.webberinsurance.com.au/data-breaches-list#nineteen [3]https://haveibeenpwned.com/PwnedWebsites

[4]https://www.theguardian.com/technology/2023/dec/05/23andme-hack-data-breach

[5] https://erinkissane.com/meta-in-myanmar-part-i-the-setup

[6] https://epic.org/issues/surveillance-oversight/patriot-act/

[7] https://www.politico.eu/article/no-more-ads-elon-musk-x-twitter-european-commission-tell-staff/

[8]https://www.edps.europa.eu/data-protection/our-work/subjects/rights-individual_en

[9]https://gdpr-info.eu/art-3-gdpr/

[10]https://consentomatic.au.dk/

[11]https://ublockorigin.com/

[12]https://www.mozilla.org/en-US/

[13]https://privacybadger.org/

[14] https://epic.org/

[15]https://framasoft.org/en/

[16]https://www.chatons.org/en/node/1

[17]https://www.eff.org/

[18]https://www.theverge.com/23990974/social-media-2023-fediverse-mastodon-threads-activitypub

[20]https://bbj.hu/business/tech/innovation/how-ngi-supports-internet-applications-through-projects-like-mastodon

https://web.archive.org/web/20240301003639/https://www.whitehouse.gov/briefing-room/statements-releases/2024/02/28/fact-sheet-president-biden-issues-sweeping-executive-order-to-protect-americans-sensitive-personal-data/

https://web.archive.org/web/20240305135121/https://www.techtimes.com/articles/302310/20240305/white-houses-data-sale-ban-criticized-limited-impact.htm