Organizations – Customer Commons

Why we’re not endorsing Contract for the Web

November 25, 2019

Contract for the Web—not signing

The Contract for the Web is a new thing that wants people to endorse it.

While there is much to like in it, what we see under Principle 5 (of 9) is a deal-breaker:

Respect and protect people’s privacy and personal data to build online trust.
So people are in control of their lives online, empowered with clear and meaningful choices around their data and privacy:

By giving people control over their privacy and data rights, with clear and meaningful choices to control processes involving their privacy and data, including:

Providing clear explanations of processes affecting users’ data and privacy and their purpose.

Providing control panels where users can manage their data and privacy options in a quick and easily accessible place for each user account.

Providing personal data portability, through machine-readable and reusable formats, and interoperable standards — affecting personal data provided by the user, either directly or collected through observing the users’ interaction with the service or device.

Note which party is “giving” and “providing” here. It’s not the individual.

By this principle, individuals should have no more control over their lives online than what website operators and governments “give” or “provide” them, with as many “control panels” as there are websites and “user accounts.” This is the hell we are in now, which metaphorically iworks like this:

It also leaves unaddressed two simple needs we have each had since the Web came into our lives late in the last millennium:

Our own damn controls, that work globally, at scale, across all the websites of the world; and
Our own damn terms and conditions that websites can agree to.

At Customer Commons we encourage #1 (as has ProjectVRM, since 2006), and are working on #2.

If you want to read the thinking behind this position, a good place to start is the Privacy Manifesto draft at ProjectVRM, which is open to steady improvement. (A slightly older but more readable copy is here at Medium.)

We also recommend Klint Finley‘s What’s a Digital Bill of Rights Without Enforcement? in Wired. He makes the essential point in the title. It’s one I also made in Without Enforcement, GDPR is a Fail, in July 2018.

A key point here is that companies and governments are not the only players. As we say in Customers as a Third Force, each of us—individually and collectively—can and should be players too.

We’ll reach out to Tim Berners-Lee and others involved in drafting this “contract” to encourage full respect for the independent agency of individuals.

Privacy is personal. Let’s start there.

May 2, 2018

Doc Searls

Advertising, customertech, Developments, Independence, Intention Economy, NoStalking, Organizations, Personal, Privacy, Tools, ToS, VRM

The GDPR won’t give us privacy. Nor will ePrivacy or any other regulation. We also won’t get it from the businesses those regulations are aimed at.

Because privacy is personal. If it wasn’t we wouldn’t have invented clothing and shelter, or social norms for signaling to each what’s okay and what’s not okay.

On the Internet we have none of those. We’re still as naked as we were in Eden.

But let’s get some perspective here: we invented clothing and shelter long before we invented history, and most of us didn’t get online until long after Internet service providers and graphical browsers showed up in 1994.

In these early years, it has been easier and more lucrative for business to exploit our exposed selves than it has been for technology makers to sew (and sell) us the virtual equivalents of animal skins and woven fabrics.

True, we do have the primitive shields called ad blockers and tracking protectors. And, when shields are all you’ve got, they can get mighty popular. That’s why 1.7 billion people on Earth were already blocking ads online by early 2017.† This made ad blocking the largest boycott in human history. (Note: some ad blockers also block tracking, but the most popular ad blocker is in the business of selling passage for tracking to companies whose advertising is found “acceptable” on grounds other than tracking.)

In case you think this happened just because most ads are “intrusive” or poorly targeted, consider the simple fact that ad blocking has been around since 2004, yet didn’t hockey-stick until the advertising business turned into direct response marketing, hellbent on collecting personal data and targeting ads at eyeballs.††

This happened in the late ’00s, with the rise of social media platforms and programmatic “adtech.” Euphemized by its perpetrators as “interactive,” “interest-based,” “behavioral” and “personalized,” adtech was, simply-put, tracking-based advertising. Or, as I explain at the last link direct response marketing in the guise of advertising.

The first sign that people didn’t like tracking was Do Not Track, an idea hatched by Chris Soghoian, Sid Stamm, and Dan Kaminsky, and named after the FTC’s popular Do Not Call Registry. Since browsers get copies of Web pages by requesting them (no, we don’t really “visit” those pages—and this distinction is critical), the idea behind Do Not Track was to make to put the request not to be tracked in the header of a browser. (The header is how a browser asks to see a Web page, and then guides the data exchanges that follow.)

Do Not Track was first implemented in 2009 by Sid Stamm, then a privacy engineer at Mozilla, as an option in the company’s Firefox browser. After that, the other major browser makers implemented Do Not Track in different ways at different times, culminating in Mozilla’s decision to block third party cookies in Firefox, starting in February 2013.

Before we get to what happened next, bear in mind that Do Not Track was never anything more than a polite request to have one’s privacy respected. It imposed no requirements on site owners. In other words, it was a social signal asking site owners and their third party partners to respect the simple fact that browsers are personal spaces, and that publishers and advertisers’ rights end at a browser’s front door.

The “interactive” ad industry and its dependents in publishing responded to that brave move by stomping on Mozilla like Gozilla on Bambi:

In this 2014 post I reported on the specifics how that went down:

Google and Facebook both said in early 2013 that they would simply ignore Do Not Track requests, which killed it right there. But death for Do Not Track was not severe enough for the Interactive Advertising Bureau (IAB), which waged asymmetric PR warfare on Mozilla (the only browser maker not run by an industrial giant with a stake in the advertising business), even running red-herring shit like this on its client publishers websites:

As if Mozilla was out to harm “your small business,” or that any small business actually gave a shit.

And it worked.

In early 2013, Mozilla caved to pressure from the IAB.

Two things followed.

First, soon as it was clear that Do Not Track was a fail, ad blocking took off. You can see that in this Google Trends graph†††, published in Ad Blockers and the Next Chapter of the Internet (5 November 2015 in Harvard Business Review):

Next, ad searches for “how to block ads” rose right in step with searches for retargeting, which is the most obvious evidence that advertising is following you around:

You can see that correlation in this Google Trends graph in Don Marti’s Ad Blocking: Why Now, published by DCN (the online publishers’ trade association) on 9 July 2015:

Measures of how nearly all of us continue to hate tracking were posted by Dr. Johnny Ryan (@johnnyryan) in PageFair last September. In that post, he reports on a PageFair “survey of 300+ publishers, adtech, brands, and various others, on whether users will consent to tracking under the GDPR and the ePrivacy Regulation.” Bear in mind that the people surveyed were industry insiders: people you would expect to exaggerate on behalf of continued tracking.

Here’s one result:

Johnny adds, “Only a very small proportion (3%) believe that the average user will consent to ‘web-wide’ tracking for the purposes of advertising (tracking by any party, anywhere on the web).” And yet the same survey reports “almost a third believe that users will consent if forced to do so by tracking walls,” that deny access to a website unless a visitor agrees to be tracked.”

He goes on to add, “However, almost a third believe that users will consent if forced to do so by ‘tracking walls”, that deny access to a website unless a visitor agrees to be tracked. Tracking walls, however, are prohibited under Article 7 of the GDPR, the rules of which are already formalised and will apply in law from late May 2018.^[3] “

Which means that the general plan by the “interactive” advertising business is to put up those walls anyway, on the assumption that people will think they won’t get to a site’s content without consenting to tracking. We can read that in the subtext of IAB Europe‘s Transparency and Consent Framework, a work-in-progress you can follow here on Github., and read unpacked in more detail at AdvertisingConsent.eu.

So, to sum all this up, so far online what we have for privacy are: 1) popular but woefully inadequate ad blocking and tracking protection add-ons in our browsers; 2) a massively interesting regulation called the GDPR…

… and 3) plans by privacy violators to obey the letter of that regulation while continuing to violate its spirit.

So how do we fix this on the personal side? Meaning, what might we have for clothing and shelter, now that regulators and failed regulatory captors are duking it out in media that continue to think all the solutions to our problems will come from technologies and social signals other than our own?

Glad you asked. The answers will come in our next three posts here. We expect those answers to arrive in the world and have real effects—for everyone except those hellbent on tracking us—before the 25 May GDPR deadline for compliance.

† From Beyond ad blocking—the biggest boycott in human history: “According to PageFair’s 2017 Adblock Report, at least 615 million devices now block ads. That’s larger than the human population of North America. According to GlobalWebIndex, 37% of all mobile users, worldwide, were blocking adsby January of last year, and another 42% would like to. With more than 4.6 billion mobile phone usersin the world, that means 1.7 billion people are blocking ads already—a sum exceeding the population of the Western Hemisphere.”

†† It was plain old non-tracking-based advertising that not only only sponsored publishing and other ad-suported media, but burned into people’s heads nearly every brand you can name. After a $trillion or more has been spent chasing eyeballs, not one brand known to the world has been made by it. For lots more on all this, read everything you can by Bob Hoffman (@AdContrarian) and Don Marti (@dmarti).

††† Among the differences between the graph above and the current one—both generated by the same Google Trends search—are readings above zero in the latter for Do Not Track prior to 2007. While there are results in a search for “Do Not Track” in the 2004-2006 time frame, they don’t refer to the browser header approach later branded and popularized as Do Not Track.

Also, in case you’re reading this footnote, the family at the top is my father‘s. He’s the one on the left. The location was Niagara Falls and the year was 1916. Here’s the original. I flipped it horizontally so the caption would look best in the photo.

Time for THEM to agree to OUR terms

March 29, 2016

Doc Searls

Advertising, Developments, Events, Intention Economy, Marketing, Organizations, Privacy, Tools, ToS, VRM

We can do for everybody what Creative Commons does for artists: give them terms they can offer—and be can read and agreed to by lawyers, ordinary folks, and their machines. And then we can watch “free market” come to mean what it says, and not just “your choice of captor.”

Try to guess how many times, in the course of your life in the digital world, have “agreed” to terms like these:

URsoScrewed

Hundreds? Thousands? (Feels like) millions?

Look at the number of login/password combinations remembered by your browser. That’ll be a fraction of the true total.

Now think about what might happen if we could turn these things around. How about if sites and services could agree to our terms and conditions, and our privacy policies?

We’d have real agreements, and real relationships, freely established, between parties of equal power who both have an interest in each other’s success.

We’d have genuine (or at least better) trust, and better signaling of intentions between both parties. We’d have better exchanges of information and better control over what gets done with that information. And the information would be better too, because we wouldn’t have to lie or hide to protect our identities or our data.

We’d finally have the only basis on which the Seven Laws of Identity, issued by Kim Cameron in 2005, would actually work. Check ’em out:

Think about it. None of those work unless individuals are in charge of themselves and their relationships in the digital world. And they can’t as long as only one side is in charge. What we have instead are opposites: limited control and coerced consent, maximum disclosure for unconstrained use, unjustified parties, misdirected identity, silo’d operators and technologies, inhuman integration, and inconsistent experiences across contexts of all kinds. (I’ll add links for all of those later when I have time.)

Can we fix this problem, eleven years after Kim came down from the mountain (well, Canada) with those laws?

No, we can’t. Not without leverage.

The sad fact is that we’ve been at a disadvantage since geeks based the Web on an architecture called “client-server.” I’ve been told that term was chosen because “slave-master” didn’t sound so good. Personally, I prefer calf-cow:

calf-cow

As long as we’re the calves coming to the cows for the milk of “content” (plus unwanted cookies), we’re not equals.

But once we become independent, and can assert enough power to piss off the cows that most want to take advantage of us, the story changes.

Good news: we are independent now, and controlling our own lives online is pissing off the right cows.

We’re gaining that independence through ad and tracking blockers. There are also a lot of us now. And a lot more jumping on the bandwagon.

According to PageFair and Adobe, the number of people running ad blockers alone passed 200 million last May, with annual growth rates of 41% in the world, 48% in the U.S., and 82% in the U.K. alone.

Of course, the “interactive” ad industry (the one that likes to track you) considers this a problem only they can solve. And, naturally, the disconnect between their urge to track and spam us, and our decision to stop all of it, is being called a “war.”

But it doesn’t have to be.

Out in the offline world, we were never at war with advertising. Sure, there’s too much of it, and a lot of it we don’t like. But we also know we wouldn’t have sports broadcasts (or sports talk radio) without it. We know how much advertising contributes to the value of the magazines and newspapers we read. (Which is worth more: a thick or a thin Vogue, Sports Illustrated, Bride’s or New York Times?) And to some degree, we actually value what old-fashioned Mad Men type advertising brings to the market’s table.

On the other hand, we have always been at war with the interactive form of advertising we call junk mail. Look up unwanted+mail, click on “images,” and you’ll get something like this:

unwantedmail

What’s happened online is that the advertising business has turned into the “interactive” junk message business. Only now you can’t tell the difference between an ad that’s there for everybody and one that’s aimed by crosshairs at your eyeballs.

The difference between real advertising and tracking-based junk messages is the same as that between wheat and chaff.

Today’s ad and tracking blockers are are primitive prophylactics: ways to protect our eyeballs from advertising and tracking. But how about if we turn these into instruments of agreement? We could agree to allow the kind of ads that pay the publisher and aren’t aimed at us by tracking.

Here at Customer Commons, we’ve been working on those kinds of terms for the last several years. Helping us have been law school students and teachers, geeks, and ordinary folks. Last we published a straw man version of those terms, they looked like this:

UserSubmittedTerms1stDraft

What those say (in the green circles) is “You (the second party) alone can use data you get from me, for as long as you want, just for your site or app, and will obey the Do Not Track request from my browser.”

This can be read easily by lawyers, ordinary folks, and machines on both sides, just the way the graphic at the top of this post, borrowed from Creative Commons (or model for this), describes.

We’re also not alone.

Joining us in this effort are the Identity Ecosystem Working Group, the Personal Data Ecosystem Consortium, the Consent and Information Sharing Working Group (which is working on a Consent Receipt to give agreements a way to be recorded by both parties), Mozilla and others on the ProjectVRM Development Work list.

Many people from those groups (including Kim Cameron himself) will be at IIW, the Internet Identity Workshop, at the Computer History Museum in Silicon Valley, on the last week of next month, April 26-28. It’s an unconference. No panels, no keynotes, no plenaries. It’s all breakouts, on topics chosen by participants.

The day before, at the same location, will be VRM Day. The main topic there will be terms, and how we plan to get working versions of them in the next three days at IIW.

This is a huge opportunity. I am sure we have enough code, and enough done work on standards and the rest of it, to put up exactly the terms we can offer and publishers online can accept, and will start to end the war (that really isn’t) between publishers and their readers.

Once we have those terms in place, others can follow, opening up to much better signaling between supply and demand, because both sides are equals.

So this is an open invitation to everybody already working in this space, especially browser makers (and not just Mozilla) and the ad and tracking blockers. IIW is a perfect place to show what we’ve got, to work together, and to move things forward.

Let’s do it.

Giving Customers Scale

March 15, 2016

Doc Searls

Advertising, Developments, Featured Post, Intention Economy, Issues, Marketing, Organizations, Privacy, Tools, ToS, VRM

scale-leverage

Customers need scale.

Scale is leverage. A way to get lift.

Big business gets scale by aggregating resources, production methods, delivery services — and, especially, customers: you, me and billions of others without whom business would not exist.

Big business is heavy by nature. That’s why we use mass as an adjective for much of what big business does: mass manufacturing, mass distribution, mass retailing, mass marketing, and mass approaches to everything, including legal agreements.

For personal perspective on this, consider how you can’t operate your mobile phone until you click “accept” to a 55-screen list of terms and conditions you’ll never read because there’s no point to it. Privacy policies are just as bad. Few offer binding commitments and nearly all are lengthy and complicated. According to a Carnegie-Mellon study, it would take 76 work days per year just to read all the privacy policies encountered by the average person. The Atlantic says this yields an “opportunity cost” of $781 billion per year, exceeding the GNP of Florida.

We accept this kind of thing because we don’t know any other way to get along with big business, and big business doesn’t know any other way to get along with us. And we’ve had this status quo ever since industry won the Industrial Revolution.

In 1943 — perhaps the apex of the Industrial Age — law professor Friedrich Kessler called these non-agreements “contracts of adhesion,” meaning the submissive party was required to adhere to the terms of the contract while the dominant party could change whatever they liked. On one side, glue. On the other, Velcro. Kessler said contracts of adhesion were pro forma because there was no way a big business could have different contracts with thousands or millions of customers. What we lost, Kessler said, was freedom of contract, because it didn’t scale.

So, for a century and a half, in economic sectors from retail to health care, we have had dominant companies controlling captive markets, often enabled by captured regulators as well. This way of economic life is so deeply embedded that most of us believe, in effect, that “free market” means “your choice of captor.” Stockholm syndrome has become the norm, not the exception.

Thus it is also no surprise that marketing, the part of business that’s supposed to “relate” to customers, calls us “targets” and “assets” they “acquire,” “control,” “manage,” “lock in” and “own” as if we are slaves or cattle. This is also why, even though big business can’t live without us, our personal influence on it is mostly limited to cash, coerced loyalty and pavlovian responses to coupons, discounts and other marketing stimuli.

Small businesses are in the same boat. As customers, we can can relate personally, face to face, with the local cleaner or baker or nail salon. Yet, like their customers, most small businesses are also at the mercy of giant banks, credit agencies, business management software suppliers and other big business services. Many more are also crushed by big companies that use big compute power and the Internet to eliminate intermediaries in the supply chain.

It gets worse. In Foreign Policy today, Parag Khanna reports on twenty-five companies that “are more powerful than many countries.” In addition to the usual suspects (Walmart, ExxonMobil, Apple, Nestlé, Maersk) he also lists newcomers such as Uber, which is not only obsoleting the taxi business, but also the government agencies that regulate it.

It also gets more creepy, since the big craze in big business for the last few years has been harvesting “behavioral” data. While they say they’re doing it to “deliver” us a “better experience” or whatever, their main purpose is to manipulate each of us for their own gain. Here’s how Shoshana Zuboffunpacks that in Secrets of Surveillance Capitalism:

Among the many interviews I’ve conducted over the past three years, the Chief Data Scientist of a much-admired Silicon Valley company that develops applications to improve students’ learning told me, “The goal of everything we do is to change people’s actual behavior at scale. When people use our app, we can capture their behaviors, identify good and bad behaviors, and develop ways to reward the good and punish the bad. We can test how actionable our cues are for them and how profitable for us”…

We’ve entered virgin territory here. The assault on behavioral data is so sweeping that it can no longer be circumscribed by the concept of privacy and its contests. This is a different kind of challenge now, one that threatens the existential and political canon of the modern liberal order defined by principles of self-determination that have been centuries, even millennia, in the making. I am thinking of matters that include, but are not limited to, the sanctity of the individual and the ideals of social equality; the development of identity, autonomy, and moral reasoning; the integrity of contract, the freedom that accrues to the making and fulfilling of promises; norms and rules of collective agreement; the functions of market democracy; the political integrity of societies; and the future of democratic sovereignty.

And that might be the short list. And an early one too.

Think about what happens when the “Internet of Things” (aka IoT) comes to populate our private selves and spaces? The marketing fantasy for IoT is people’s things reporting everything they do, so they can be studied and manipulated like laboratory mice.

Our tacit agreement to be mice in the corporate mazes amounts to a new social contract in which nobody has much of a clue about what the consequences will be. One that’s easy to imagine is personalized pricing based on intimate knowledge gained from behavioral tracking through the connected things in our lives. In the new world where our things narc on us to black boxes we can’t see or understand, our bargaining power falls to zero. So does our rank in the economic caste system.

But hope is not lost.

With the Internet, scale for individuals is thinkable, because the Internet was also designed from the start to give every node on the network the ability to connect with every other node, and to reduce the functional distance between all of them as close to zero as possible. Same with cost. As I put it in The Giant Zero,

On the Net you can have a live voice conversation with anybody anywhere, at no cost or close enough. There is no “long distance.”

On the Net you can exchange email with anybody anywhere, instantly. No postage required.

On the Net anybody can broadcast to the whole world. You don’t need to be a “station” to do it. There is no “range” or “coverage.” You don’t need antennas, beyond the unseen circuits in wireless devices.

In a 2002 interview Peter Drucker said, “In the Industrial Age, only industry was in a position to raise capital, manufacture, ship and communicate at scale, across the world. Individuals did not have that power. Now, with the Internet, they do.”*

The potential for this is summarized by the “one clue” atop The Cluetrain Manifesto, published online in April 1999 and in book form in January 2000:

Cluetrain's "one clue"

What happens when our reach is outward from our own data, kept in our own spaces, which we alone control? For other examples of what could happen, consider the personal computer, the Internet and mobile computing and communications. In each case, individuals could do far more with those things than centralized corporate or government systems ever could. It also helps to remember that big business and big government at first fought—or just didn’t understand—how much individuals could do with computing, networking and mobile communications.

Free, independent and fully human beings should be also good for business, because they are boundless sources of intelligence, invention, genuine (rather than coerced or “managed”) loyalty and useful feedback—to an infinitely greater degree than they were before the Net came along.

In The Intention Economy: When Customers Take Charge (Harvard Business Review Press, 2012), I describe the end state that will emerge when customers get scale with business:

Rather than guessing what might get the attention of consumers—or what might “drive” them like cattle—vendors will respond to actual intentions of customers. Once customers’ expressions of intent become abundant and clear, the range of economic interplay between supply and demand will widen, and its sum will increase… This new economy will outperform the Attention Economy that has shaped marketing and sales since the dawn of advertising. Customer intentions, well-expressed and understood, will improve marketing and sales, because both will work with better information, and both will be spared the cost and effort wasted on guesses about what customers might want, and flooding media with messages that miss their marks.

The Intention Economy reported on development work fostered by ProjectVRM, which I launched at the Berkman Center for Internet and Society in 2006. Since then the list of VRM developments has grown to many dozens, around the world.

VRM stands for Vendor Relationship Management. It was conceived originally as the customer-side counterpart of Customer Relationship Mangement, a $23 billion business (Gartner, 2014) that has from the start been carrying the full burden of relationship management on its own. (Here’s a nice piece about VRM, published today in CMO.)

There are concentrations of VRM development in Europe and Australia, where privacy laws are strong. This is not coincidental. Supportive policy helps. But it is essential for individuals to have means of their own for creating the online equivalent of clothing and shelter, which are the original privacy technologies in the physical world—and are still utterly lacking in the virtual one, mostly because it’s still early.

VRM development has been growing gradually and organically over the past nine years, but today are three things happening that should accelerate development and adoption in the near term:

The rise of ad, tracking and content blocking, which is now well past 200 million people. This gives individuals two new advantages: a) The ability to control what is allowed into their personal spaces within browsers and apps; and b) Potential leverage in the marketplace — the opportunity to deal as equals for the first time.
Apple’s fight with the FBI, on behalf of its own customers. This too is unprecedented, and brings forward the first major corporate player to take the side of individuals in their fight for privacy and agency in the marketplace. Mozilla and the EFF are also standout players in the fight for personal freedom from surveillance, and for individual equality in dealings with business.
A growing realization within CRM that VRM is a necessity for customers, and for many kinds of positive new growth opportunities. (See the Capgemini videos here.)

To take full advantage of these opportunities, VRM development is necessary but insufficient. To give customers scale, we also need an organization that does what VRM developers alone cannot: develop terms of engagement that customers can assert in their dealings with companies; certify compliance with VRM standards, hold events that customers lead and do not merely attend, prototype products (e.g. Omie) that have low commercial value but high market leverage, bring millions of members to the table when we need to bargain with giants in business — among other things that our members will decide.

That’s why we started Customer Commons, and why we need to ramp it up now. In the next post, we’ll explain how. In the meantime we welcome your thoughts.

* Drucker said roughly this in a 2001 interview published in Business 2.0 that is no longer on the Web. So I’m going from memory here.

Privacy is an Inside Job

January 29, 2016

Doc Searls

Advertising, Developments, Featured Post, Intention Economy, Issues, Marketing, Organizations, Personal, Privacy, Social, Tools, ToS, VRM

Ordinary people wearing and enjoying the world’s original privacy technology: clothing and shelter. (I’m the one on top. Still had hair then.)

Start here: clothing and shelter are privacy technologies. We use them to create secluded spaces for ourselves. Spaces we control.

Our ancestors have been wearing clothing for at least 170,000 years and building shelters for at least half a million years. So we’ve had some time to work out what privacy means. Yes, it differs among cultures and settings, but on the whole it is well understood and not very controversial.

On the Internet we’ve had about 21 years*. That’s not enough time to catch up with the physical world, but hey: it’s still early.

It helps to remember that nature in the physical world doesn’t come with privacy. We have to make our own. Same goes for the networked world. And, since most of us don’t yet have clothing and shelter in the networked world, we’re naked there.

So, since others exploit our exposure — and we don’t like it — privacy on the Internet is very controversial. Evidence: searching for “privacy” brings up 4,670,000,000 results. Most of the top results are for groups active in the privacy cause, and for well-linked writings on the topic. But most of the billions of results below that are privacy policies uttered in print by lawyers for companies and published because that’s pro forma.

Most of those companies reserve the right to change their policies whenever they wish, by the way, meaning they’re meaningless.

For real privacy, we can’t depend on anybody else’s policies, public or private. We can’t wait for Privacy as a Service. We can’t wait for our abusers to get the clues and start respecting personal spaces we’ve hardly begun to mark out (even though they ought to be obvious). And we can’t wait for the world’s regulators to start smacking our abusers around (which, while satisfying, won’t solve the problem).

We need to work with the knitters and builders already on the case in the networked world, and recruit more to help out. Their job is to make privacy policies technologies we wear, we inhabit, we choose, and we use to signal what’s okay and not okay to others.

The EFF has been all over this for years. So have many developers on the VRM list. (Those are ones I pay the most attention to. Weigh in with others and I’ll add them here.)

The most widely used personal privacy technology today is ad and tracking blocking. More than 200 million of us now employ those on our browsers. The tools are many and different, but basically they all block ads and/or tracking at our digital doorstep. In sum this amounts to the largest boycott in human history.

But there’s still no house behind the doorstep, and we’re still standing there naked, even if we’ve kept others from planting tracking beacons on us.

One of the forms privacy takes in the physical world is the mutual understanding we call manners, which are agreements about how to respect each others’ intentions.

Here at Customer Commons, we’ve been working on terms we can assert, to signal those intentions. Here’s a working draft of what they look like now:

That’s at the Consent and Information Working Group. Another allied effort is Consent Receipt.

If you’re working on privacy in any way — whether you’re a geek hacking code, a policy maker, an academic, a marketer trying to do the right thing, or a journalist working the privacy beat — remember this: Privacy is personal first. Before anything else. If you’re not working on getting people clothing and shelter of their own, you’re not helping where it’s needed.

It’s time to civilize the Net. And that’s an inside job.

__________________

*If we start from the dawn of ISPs, graphical browsers, email and the first commercial activity, which began after the NSFnet went down on 30 April 1995.

New Rules for Privacy Regulations

December 31, 2015

Digital ID Coach

C2B, Companies, Intentcasting, Intention Economy, Organizations, Personal, Privacy, Research, Tools, VRM

The Wall Street Journal has an informative conversation with Lawrence Lessig: Technology Will Create New Models for Privacy Regulation. What underlies a change toward new models are two points: the servers holding vast user databases are increasingly (and very cheaply) breached, and the value of the information in those databases is being transferred to something more aligned to VRM: use of the data, on a need to know basis. Lessig notes:

The average cost per user of a data breach is now $240 … think of businesses looking at that cost and saying “What if I can find a way to not hold that data, but the value of that data?” When we do that, our concept of privacy will be different. Our concept so far is that we should give people control over copies of data. In the future, we will not worry about copies of data, but using data. The paradigm of required use will develop once we have really simple ways to hold data. If I were king, I would say it’s too early. Let’s muddle through the next few years. The costs are costly, but the current model of privacy will not make sense going forward.

The challenge, notes Lessig, is “a corrupt Congress” that is more interested in surveillance than markets and doing business. Perhaps that isn’t a problem, according to an Associated Press poll (which has no bias, of course!):

According to the new poll, 56 percent of Americans favor and 28 percent oppose the ability of the government to conduct surveillance on Internet communications without needing to get a warrant. That includes such surveillance on U.S. citizens. Majorities both of Republicans (67 percent) and Democrats (55 percent) favor government surveillance of Americans’ Internet activities to watch for suspicious activity that might be connected to terrorism. Independents are more divided, with 40 percent in favor and 35 percent opposed. Only a third of Americans under 30, but nearly two-thirds 30 and older, support warrantless surveillance.

Right. After all, who needs business?

For personal data, use value beats sale value

May 23, 2013

Doc Searls

Companies, Developments, Featured Post, Intentcasting, Intention Economy, Organizations, Tools, VRM

There’s an argument that goes like this:

Companies are making money with personal data, and
They are getting this data for free. Therefore,
People should be able to make money with that data too.

This is not helpful framing, if we want to get full value out of our personal data. Or even to understand what the hell personal data is.

Stop and think about this for a second:

Everything on your hard drives is personal data.
So is every thing you own, if you bother to put it in the Internet of Your Things
So is everything that comes into your life. For example, the pothole in the road in front of your house.

That data has far more use value than sale value. This use value is almost entirely untapped. Thinking about its sale value requires that you think the same way big companies do. This is as big a mistake in 2013 as it was —

in 1980 to think about personal computing in terms of what big enterprises did with mainframes; and
in 1993 to think about personal networking in terms of services provided by phone and cable companies.

In 1982 the IBM PC came along, and MS-DOS. And then the Macintosh in 1984. By 1985 there were tens of thousands of personal apps running on personal computers, doing far more than any company could do with its own computers, no matter how big those computers were. This turned out to be good for everybody, including the big companies with the big computers.

Likewise, in 1995 the Internet came along in a big way (ISPs, email, browsing, dial-up, e-commerce), and within months it was clear than anybody could network together with anybody else in the world at a cost that rounded to zero, and with a degree of freedom that was unimaginable within the systems controlled by phone and cable companies. (Eighteen years later, the phone and cable companies, with help from the copyright maximalists in Hollywood, are still trying to corral the Net’s horse back into the old barn.)

What companies are doing with your personal data today is all happening inside a B2B — Business-to-Business — context. That context is as limited as mainframe thinking in 1980 and telco/cableco thinking in 1993.

The other day in London we were talking with Nic Brisbourne about the massive quantity of opportunity and ready-to-spend money on the demand side of the marketplace — and the ironic absence (outside the still-small VRM world) of interest by developers in equipping demand to engage and drive supply. The market seem stuck inside the same old supply-driving-demand mentality. That’s what you hear coming from the mainframe-think world of Big Data mongering and analytics today.

Mind these words: Big Data talk today is as clueless about what people can do for themselves as mainframe talk was in 1980 and networking talk was in 1993. It’s big business-as-usual, in its big B2B bubble, talking itself into ever-ripening stages of vulnerability to massive disruption by the C’s of the world.

Speaking of which, we also met in Europe with Qiy, MesInfos, Midata, Intently, Mydex, Privowny and other VRM efforts (who will be insulted that I haven’t yet listed them here, but we can correct that). All of them are laying the groundwork required for unlocking the full use value of personal data — and not just its sale value, which is tiny at best anyway. Bravo for them, and for us as the beneficiaries of their good work.

The Personal Revolution

December 5, 2012

Doc Searls

Developments, Featured Post, Intention Economy, Organizations, Privacy, Tools, VRM

While the history of computing and communications often appears to be one led by big entities in business and government, the biggest revolution has actually been a personal one. Each of us, as individuals, have acquired abilities that were once those of organizations alone — and have done far more with those abilities than the big players ever could — for those big players as well as for ourselves.

It started in the early ’80s, when the IBM PC became host to thousands of new applications for individuals. Personal computers suddenly proved to be a far more fertile ground for application development and new ueses than were the old corporate mainframes and minicomputers. Computing was no longer only about calculating and data processing. It was about everything one could imagine. The result was a profusion of new capabilities for individuals that also brought great benefits to organizations of all kinds and sizes.

A little more than a decade later, in the mid-’90s, the Internet did for communications what the PC did for computing. It gave individuals abilities that went far beyond those enjoyed by big organizations anywhere. Thanks to the Net, anybody could connect with anybody (or anything), anywhere in the world, using protocols that nobody owned, everybody could use, and anybody could improve. Even though there were many owned networks within the Internet, none governed the whole, and the result was a system that put every connected thing at zero functional distance from every other thing, at costs that could often be treated as zero. The positive economic and social externalities of the Internet today are beyond calculation. Again, as with PCs, this owes to new power in the hands of individuals that proved good for organizations as well.

Then in the late ’00s, smartphones and tablets put personal computing and communications advances — won by the PC and the Internet — into devices that fit in pockets and purses, running on platforms that invited millions of new applications. Once again, the increase in personal power and freedom proved essential to organizations as well. Initial resistance to BYOD (bring your own device) has ended, and companies now develop their own apps for employees and customers to use on their smartphones and tablets.

The upward trend in personal empowerment will move next to the “Internet of things,” as more of those objects and devices become equipped with computing and communication abilities — and as individuals gain the power to combine and program interactions between those things and the many services available through APIs ( application programming interfaces) and apps. Each of us will be able, either by ourselves or with the help of “fourth parties” (ones that work for us, as do brokers and banks) to control our identities, secure our privacy, and manage our many interactions in the world, without having to rely on any one platform, vendor or other enabling party. Far better economic signaling will move in both directions between demand and supply. Genuine, trusting and productive relationships will develop, and earned loyalty will prove far more useful than the coerced kind. In sum, the market will discover that free customers and citizens will prove more capable and productive than captive ones, and that this will be good for both business and society.

Progress in this direction will not be easy or even. All through the history just outlined, there have also been constant efforts to contain and limit what individuals can do with their computing and communications abilities. Large incumbent players have worked to create dependencies from which we cannot escape, and to resist competition in open markets. In spite of the many advances they have brought to the market’s table, phone and cable companies today still operate actual or virtual monopolies, and have been working from the start — aided by captive legislators and regulators — to subordinate the Internet’s boundless positive economic externalities to their own legacy business interests. Copyright and patent absolutists have also pushed successfully for laws and regulations that thwart or stop innovation and growth outside their own virtual castles.

And now, in many countries that value neither free markets nor free citizens, efforts are afoot to move Internet “governance” (an oxymoron from the angle of the Internet’s founding protocols) from organizations such as ICANN to the ITU (International Telecommunications Union, now part of the U.N.), where they can partition the Net along national lines, censor it (as in China today), and impose tariffs on data traffic across borders — enriching governments at great expense to economic growth and prosperity, and the welfare of citizens.

Yet the computing, communications and programming genies continue to do their magic for individuals and the organizations they comprise and support. Those genies will not go back in their old bottles. Thus the way to bet in the long run is on personal and economic freedom, and the general prosperity that arises from both. The only way to make that bet pay off, however, is to work on the side of individuals and the developers that empower them. That’s our job here at Customer Commons, and we invite you to join us in that work.

Privacy is personal

May 19, 2012

Doc Searls

Developments, Events, Issues, Organizations, Personal, Privacy, Social, The Customer Journal, VRM

In the physical world, we govern privacy with clothes and walls, buttons, zippers, windows and doors. (See Clothing as a privacy system.)

We also see privacy as a thing that can be possessed. That’s the framing for statements like, “Give me some privacy, and “Don’t take away my privacy.”

On another hand (there can be many), we also see privacy as a state of being: “This is private.” “Keep this private.”

The American Heritage Dictionary defines privacy as “1. a) The quality or condition of being secluded from the presence or view of others; b) The state of being free from unsanctioned intrusion: a person’s right to privacy”; and “2. The state of being concealed; secrecy.” The Collins English Dictionary (at that same link) adds one more: “3. (Philosophy) Philosophy the condition of being necessarily restricted to a single person.” The boldface is mine. I like that one. (And not just because I majored in philosophy, back in the decade.)

That’s the noun. To mine the derivational vein, we must also dig the adjective. Here’s American Heritage on private:

a. Secluded from the sight, presence, or intrusion of others: a private hideaway; b. Designed or intended for one’s exclusive use: a private room.
a. Of or confined to the individual; personal: a private joke; private opinions. b. Undertaken on an individual basis: private studies; private research. c. Of, relating to, or receiving special hospital services and privileges: a private patient.
Not available for public use, control, or participation: a private club; a private party.
a. Belonging to a particular person or persons, as opposed to the public or the government: private property. b. Of, relating to, or derived from nongovernment sources: private funding. c. Conducted and supported primarily by individuals or groups not affiliated with governmental agencies or corporations: a private college; a private sanatorium. d. Enrolled in or attending a private school: a private student.
Not holding an official or public position: a private citizen.
a. Not for public knowledge or disclosure; secret: private papers; a private communication. b. Not appropriate for use or display in public; intimate: private behavior; a private tragedy. c. Placing a high value on personal privacy: a private person.

Here’s what it says about deep sources for private (and also for privacy): “Middle English privat from Latin privatus, not in public life, past participle of privare, to release, deprive, from privus, single, alone… Indo-European roots.”

Thus, here in the everyday vernacular of the physical world, privacy is well understood, and has been since before we had History. But “here” now also constitutes the virtual world, where you are equally present, and reading this text right now. In the physical “here,” your privacy is provided by what you’re wearing and where you locate yourself. Your choices in the virtual “here” are not so plain and clear. Not yet, anyway. At best we can only hope that the stuff we try to keep private will stay that way. And it is best lately to hope less than you used to, because there is a large and growing business in abusing your privacy in the virtual world. That business is advertising. For that business, your privacy is a problem that can only be solved with a promise: Trust us. We not only respect your privacy, but are in business to help you. Buy stuff, that is.

Credit where due: the Internet Advertising Bureau (IAB) is deeply concerned about privacy, and requires that its members adhere to a raft of privacy principles. Here’s one: “Businesses collecting or using information about individual consumers for interactive advertising purposes should provide choice, where appropriate, to that individual. Consumers also should receive relevant education regarding cross-industry opportunities to opt out of the collection or use of individual information or other methods to exercise choice.”

However well-intended this might be, it’s a window fan blowing against the storm of wealth-creation that the “interactive” advertising business has become. On Friday, Facebook went public with a valuation exceeding $100 billion. Its business is advertising. So is Google’s, with a market cap hovering around $200 billion. The goal for both companies is to “personalize” advertising as much as possible. This requires making their machines learn all they can about you, whether you know it or not. And, for all their talk about providing choices, they’d rather you not shut out their tentacles or cover their prying eyes.

If you want to operate on the Web today, it is almost impossible to avoid either company, or the thousands of other that are in the business of knowing as much as possible about you, so that information can be sold to advertisers and their agencies. Wanting to maximize the sum and quality of information about individuals is at absolute odds with those companies’ stated commitments to privacy — as well as individuals’ own sense, based on experience in the physical world, of what privacy is and how it should work.

Did you know that, when you go to a site that has a Facebook “like” button, Facebook will know you were there, even if you don’t click on the button? Also, says Consumer Reports, “Even if you have restricted your information to be seen by friends only, a friend who is using a Facebook app could allow your data to be transferred to a third party without your knowledge.” And, adds Abine, “You know those Facebook Like and Connect buttons you see on almost every website? They’re not just for sharing: they’re tracking devices. Facebook buttons can track both members and non-members of Facebook, even if you never click them. They transmit your clicks, browsing history, IP address, and more to Facebook.”

Is Facebook going to stop doing that kind of thing on their own, when they believe it’s also the very thing that makes them the most money?

Not surprisingly, Consumer Reports’ parent, Consumers Union, wants a policy solution. That is, new laws that restrict the ability of Facebook and others to, for example, track us without our permission. Meanwhile CU has also put up the HearUsNow site, as a way for individuals to demand better treatment by Facebook. The White House has also issued a Privacy Bill of Rights, which offers guidelines for lawmaking.

In his landmark book, Understanding Privacy, Raymond Solove details the many ways that privacy is nearly impossible to pin down in legal argument, much less in policy. So, while he notes in the first sentence of his first chapter, “Supreme Court Justice Louis Brandeis pronounced it ‘the most comprehensive of rights and the right most valued by civilized men,'” he later adds that “legal scholar Arthur Miller has declared that privacy is ‘difficult to define because it is exasperatingly vague and evanescent.'” Solove’s own case is that “the value of privacy must be determined on the basis of its importance to society, not in terms of individual rights.” He adds, “the value of privacy in a particular context depends on the social importance of the activities it facilitates.” The prescriptive chapters of the book are devoted to laying out a taxonomic framework for understanding privacy problems. Because, sensibly, “A lucid, comprehensive, and concrete understanding of privacy will aid the creation of law and policy to address privacy issues.”

Which is fine, if you think corporations and governments are the only actors in the marketplace with full agency. That is, with the ability to act, and to cause effects. As individuals on the Web, we don’t have that ability today. (Imagine having a website agree to your terms and conditions, rather than the reverse.) One symptom of that is the call for legislative protection, which we wouldn’t have if we had full agency. So, the thinking goes, “We can’t protect ourselves, so the government should step in.”

I’m against that, at least for now, because I don’t believe we’ve done enough to empower individuals on their own. I’d rather we work on equipping individuals to enjoy full agency, as independent and sovereign beings, in the online marketplace as well as in the offline one. Or, in other words, to break out of the calf-cow system (called “client-server”) that we’ve been stuck in since 1995. I believe the personal nature of privacy, as it has been understood plainly since the late Pleistocene, requires that.

Some of the tools are already there. Public key cryptography, for example. Link contracts in XDI. The stuff Alec Muffett starts talking about in Slide 47 of his presentation here. Same goes for much of the work being done by the ProjectVRM development community. As ordinary folk we don’t need to understand the technologies behind all that work, but it helps to know that we’re not starting from zero.

At the very least we need some perspective here, based on the fact that we have hardly begun to explore what it will take to create physical-grade privacy on the Net. And that as we do, we need to keep it personal. That’s where privacy is best understood and measured. There is also cause and effect. If you and I don’t have privacy online, society won’t either.