For your protection
The EU’s data protection law bodes ill for the internet’s anarchic side, argues Paul Demarty
It is rare enough when everyone becomes aware of some abstruse piece of Brussels legislation, but only hermits will have avoided a plague of near-identical emails in the last week or two - all citing, a little apologetically, the general data protection regulation (GDPR).
This regulation, which has caused all this mess, is an attempt to unify existing European Union data protection measures and beef up enforcement. Substantial restrictions have been placed on the collection of user information, especially ‘personally identifying information’ (PII). The maximum fine for the most egregious violations is the larger out of €20 million and 4% of the offending company’s total annual revenue. This is an eye-catching sum, and goes a long way towards making the regulation worth the effort.
Not that you would know it. For, although, from the pettiest email newsletter to Facebook and Google themselves, we have witnessed an orgy of arse-covering, the whole business has been a total shambles. Facebook’s Mark Zuckerberg refused to directly answer MEPs as to whether his company is fully compliant; all across Silicon Valley and east London and Berlin, fingers were being crossed when the law came into force on May 25. Some American businesses have simply ceased serving customers in the EU (there is some dispute as to exactly how hard you have to try to offload Europeans from your site in order to be compliant). Notably, an entire stable of newspapers, including the Chicago Tribune, went dark for those with European IP addresses.
We cannot very well blame the EU for all this - the text of the law was agreed two years ago, and it is the job of companies to pay attention to changes in the regulatory environment. The difference between the world as it was then - when such a regulation was so unimaginable that people simply did not take it seriously - to the world now that it has been enacted, is an important step change in internet history.
If the tech industry is collectively wailing and gnashing its teeth over all this, it must be viewed as a wholly self-inflicted injury. There are two primary problems GDPR is supposed to address. The first is the recurring phenomenon of catastrophic data breaches - a great boon to identity thieves the world over. Recent events have only reconfirmed the need for some framework to bring people to book for the grotesque negligence routinely displayed. We think, perhaps, of the Equifax breach last year, which compromised the identities of an absolute majority of the US population. Equifax has basically gotten off scot-free for this calamity. The other side of the problem is the extraordinary hunger for behavioural data exhibited by the major internet companies and their wannabe-rivals; likewise, the problem has become still more stark in the two years since GDPR was agreed, with the Cambridge Analytica scandal and related phenomena.
There is a popular image - too popular by half, really - of the internet as a place of wild, anarchic freedom. The lifestyle anarchist, Peter Lamborn Wilson - in his New Age cod-Sufi mystic guise, Hakim Bey - cited the then infant internet as the latest in a long line of “pirate utopias” - temporary autonomous zones, where people could enjoy a burst of freedom, even as they were surrounded by a rationalised, dehumanised world at large. For all the Sufi trinkets, Wilson’s schtick is very American, in a quite traditional way. Jack Kerouac’s On the road takes its hero to San Francisco in pursuit of personal authenticity; that quest has been domesticated from its wild and defiantly macho-male Beat form into the output of every marketing department in the universe, according to whom full self-actualisation is just one jar of vitamin supplements away.
What has not changed is the destination - California, from which mass internet culture most aggressively emanates. So much of the language of the technology industry is derived from the myth of the American west - indeed, the pre-eminent advocacy group for the rights of internet users in the United States is the Electronic Frontier Foundation. Self-congratulation on the part of technology’s self-styled ‘pioneers’ has reached a deafening pitch. And if there is one thing free-spirited cowboys hate, it is the law.
What the recent problems of Facebook and friends revealed - and what GDPR brings into sharper relief - is that the web giants were not so terrifically innovative after all. It turns out that quite a few of them have been growing fat off of one cheap trick: intrusively spying on their users and feeding the data to machine learning models. Overwhelmingly, the output of the latter - despite bluster about smart cities and self-driving cars - is more efficient targeting of advertising. The scrambled responses, the relentless lobbying, the surfeit of fuzzy-wuzzy PR all testify to this fact: Facebook and Google are not primarily engaged in doing anything interesting: merely acting - as a recent book on them has it - as “attention merchants”.1
Online advertising is a world of tiny margins. Ad space is perilously close to worthless - tiny margins matter. Facebook and Google compete on better targeting adverts at likely eyeballs; such targeting must be done automatically, to have a chance of scaling to their billions of users, but it also must be done quickly. That means building those aforementioned machine learning systems - or, very often, buying them in by acquiring smaller, artificial-intelligence-focused start-ups. The trouble with machine learning is that machines are not awfully good at learning. Imagine a young child: she sees a squirrel for the first time. Her parents tell her: ‘It is a squirrel’. If she sees two or three more squirrels, she will be able to recognise them instinctively for life. Even very sophisticated ML systems, however, require vastly more examples before they can reliably make correct judgements of this kind. The result is the first cause of that thirst for data.
The second cause is not so innocently ‘technical’. Apologists for Silicon Valley and its imitators like to point to the start-up scene as an indication of its great life-giving potential for a plainly ailing capitalism. If we look at how a venture capital-backed start-up actually succeeds, we find something very different - monopoly. Investors will light their money on fire for years only if the payoff is going to be massive, and it is well understood that the massive payoffs come in two basic shapes. One: the business attains an unassailable monopoly over some market. Two: the business is acquired by an incumbent at a large valuation, reinforcing the incumbent’s monopolistic position.
This only works, of course, if a business is defensible - that is, there has to be something to stop another start-up coming along and doing the same thing, but for five cents a month cheaper, and another one after that. This is where the data comes in - combined with the technical limitations of present-day AI systems, getting there first, and getting a lot of users quickly, in a market where AI gives a sufficiently dramatic advantage, can give you a monopolistic position.
Attracting the attention of regulators is not part of the plan, but it was quite inevitable. It is difficult to suppress a smile at the difficulties the monopolistic web companies are facing right now, as their grubby little business model faces its first serious challenge. Certainly, when it comes to the matter of data breaches, there is no less a need for serious regulatory oversight than there is - for example - in food hygiene. Too many companies have exposed millions of people to the risk of large-scale fraud and have been let off with nothing more than a roasting in the tech press.
The problems with the GDPR come from the other half of it: the question of privacy. We are talking, after all, about a regulation that is a direct successor to the infamous ‘right to be forgotten’, whereby people can petition Google to remove unfavourable search results about them. It is worth noting that the House of Lords tacked on an amendment to the Data Protection Act, which enacts the GDPR in British law, that would allow people to issue subject access requests to newspapers, compelling them to offer up all the information held about them - at a stroke abolishing the anonymous source (the government demurred, in deference to the sensibilities of its friends in the press, and the act passed without that amendment). We cannot imagine what such a bunch of ultra-establishment flunkies and apparatchiks as the Lords could possibly want to have ‘forgotten’ by right …
Even with its worst excesses excised, the law is based on regrettable premises. As is usual in bourgeois society, what is prized is the right to be left alone - ‘forgotten’, indeed. The techno-utopian bluster about the anarchic web had its grain of truth, which is that the emergence of the internet foisted an unwelcome dose of transparency onto powerful apparatuses that were not accustomed to not being able to silence critics. As long as it was not understood how to control things, things were not controlled effectively; all manner of highly productive mischief could follow.
There is a certain undertone to the moral panics about Facebook and friends which delegitimises them, insofar as they allow content disliked by their mainstream critics. It is ‘Russian trolls’ who are the problem, not Obama activists, when it comes to exploiting Facebook’s targeting features in more or less identical ways. We cannot, of course, expect the web monopolists to actually fight back: there is no money in it. Google and Facebook have been happily engaged in cosy arrangements with authoritarian regimes for as long as they have followed the scent of money in such directions - all while claiming, naturally, to be the camel’s nose of democracy under the tent of tyranny, or whatever the favoured metaphor of neoliberal idiots is nowadays.
We are losing, then, that primordial moment of freedom that followed from the communicative capacity of the human race taking a dramatic dialectical leap upwards over the last 20 or 30 years. What we would do well to discard along with that loss is the myth that such a technological transformation will ever do the work for us at the social level. There are those toting decentralisation of social media and similar services as ‘the answer’ to surveillance capitalism and digital media monopolies; there is a large overlap with cryptocurrency enthusiasts, and both outlooks are wrong for the same reason. You cannot design, at the level of software or hardware, a truly free world. Technology is the servant of social organisation, not its master.
1. T Wu The attention merchants: the epic scramble to get inside our heads London 2016.