We need a reset

Facebook bashing is in. It feels like every lawmaker has now given vent to their indignation to enhance their public profile. The German Minister of Justice summoned the company’s European director of policy, the Federal Cartel Office is conducting an investigation, and everyone is threatening consequences. There’s a similar picture on the other side of the Atlantic: Mark Zuckerberg even had to testify before Congress. That’s nothing but symbolic politics. After all, everyone knew long before the Cambridge Analytica scandal that the major U.S. Internet companies glean all the data they can about users in all possible ways in order to make money from it. No one has taken effective action against that to date. And that won’t change fundamentally as long as politicians believe the story they’re fed, namely that there’s a fair deal — “service for data.”

“Fair” would mean that all parties know what they’re letting themselves in for and also consented to that. In this complex and highly opaque world, however, no one has the slightest chance of finding out how and where all their data is collected, what happens to it and with whom it’s shared and for what purposes. In particular the widespread practice of tracking — the process of identifying and keeping tracks on website visitors and creating a profile of them — is completely obscure. Most users are aware that personal data is transferred to the platform operators when they use Facebook and Google, but hardly anyone knows that all their online activities are analyzed and stored. The Silicon Valley giants store detailed profiles on each of us — whether we use their platforms or not — containing not only general demographic data and what we’re interested in buying, but also highly private information on our personal finances and health, sexual preferences, political views, relationships, movements, etc.

No one can say for certain how and by whom this data is used and for what purpose. However, we know for sure that there are many parties who are interested in this data: advertisers, election campaign strategists, insurance companies — and hackers and intelligence services. We also know that no one can rely on the promises of those who collect the data: They revise their pledges only all too often in the course of time, yet the data is stored forever. Facebook, for example, has long tapped into data from WhatsApp, despite previous assurances to the contrary. Yahoo’s vast wealth of data is now in the hands of Verizon — a provider that already knows a lot about users through its ISP business. And we read almost weekly about data leaks — sometimes as a result of hacking, sometimes due to technical failure or — as was the case this time in the Cambridge Analytica affair — due to overly lax internal rules or reluctance to enforce them.

But it’s not enough to point the finger at the big players in Silicon Valley. The entire Internet economy, including publishers and advertisers over here, is part of the system — whether as beneficiaries of the data or suppliers of it. Our study Tracking the Trackers shows, for example, that tracking scripts collect data on user behavior on just under 80 percent of all websites. Just about all publishers are compelled to monitor users as well — after all, Google (including YouTube) and Facebook have created mighty advertising platforms and data oligopolies hardly anyone can evade. Even to publish an article here on Medium.com, you need a Google or Facebook account, as it is required for sign up. And of course Google and Facebook also track you on this page while you read this. That’s precisely the problem.

Facebook may have been much reviled recently, but it is only the number two data leech: Whereas the social network monitors “only” 27.1% of the website page loads according to our study Tracking the Trackers, Google’s tracking scripts boasts twice the reach (60.3%). What would happen if the next data leak were to hit Google or if an authoritarian government were to gain access to the data by force doesn’t bear thinking about.

We at Cliqz are convinced that there’s no such thing as “secure” profile creation. That’s why we’ve developed our products in such a way that they completely dispense with the need for transfer of personal data and yet work for users and advertisers alike — even targeting is possible with them. Instead of storing it on servers as is customary, we leave all of the data that might be used to identify and track users on the device and hence in the possession and under the control of the users. So products and business models that offer true data protection are feasible! Yet privacy by design also entails more complex business models and higher development costs. The players won’t therefore change their practices voluntarily.

Instead of boosting their profile through symbolic politics, lawmakers should therefore fight to strengthen data protection law lastingly. The chances of doing that have never been as great as they are today. The General Data Protection Regulation (GDPR) and ePrivacy may be a good start in establishing a shield that protects privacy effectively in practice. For the first time in the history of the Internet, there is the option of pressing the reset button, of bringing about a fundamental change in business models in the Internet economy. The new rules must not be watered down by lobbying and should be regarded as a new start.

I hope that the public interest triggered by the “Facebook scandal” ensures lasting pressure on policymakers and business this time. Strong user rights are not the end of the Internet or the end of commercial providers. A genuine reset would be a chance for a better Internet. Europe has to make the start.