Category: First Party

Digital Omnibus Article 88b needs to be about contract, not just consent

With gratitude to the famous Peanuts cartoon. (And art help from ChatGPT.)

The EU’s new Digital Omnibus proposal aims to update and expand the GDPR, notably with Article 88b, which includes this:

A new Article 88b Regulation (EU) 2016/679 (General Data Protection Regulation), for automated and machine-readable indications of individual choices and respect of those indications by website providers once standards are available.

That was written in June 2025. (I’ve boldfaced the phrases that matter.) We now have a standard for exactly what the EU wants and needs: IEEE 7012-2025—Standard for Machine-Readable Personal Privacy Terms. It is nicknamed MyTerms (much as IEEE 802.11 is nicknamed Wi-Fi) and was published by the IEEE in January 2026 after nine years in the making. Here’s the PDF.

Article 6 of the GDPR lists six bases for the  Lawfulness of Processing:

  1. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  3. processing is necessary for compliance with a legal obligation to which the controller is subject;
  4. processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

I’ve boldfaced the three that matter, and italicised their core distinctions.

The entire adtech business relies on the first and last of these, consent and legitimate interests, as their excuses for tracking people, allowing them to obey the letter of the GDPR while screwing its spirit.

We see consent at work with every cookie notice we click on or click past. And we have no faith that clicks on consent “choices” provide any privacy protection at all. Reasons:

  1. Most sites ignore cookie choices.
  2. Many sites set cookies even before a cookie choice is made.
  3. It’s obvious that adtech is a personalised guesswork business that relies on surveillance, so most of these “choices” are misdirections away from corporate hunger for personal data.
  4. We have no record of the “choices” we make (and in many cases, no choice is offered), or any way to audit or dispute compliance.
  5. Uninvited and unwanted surveillance is by now so far out of control that cars, TVs, and AI chatbots are all in on the game (and hardly bother with consent notices).

The legitimate interests are advertising and surveillance, which Google, Facebook and the IAB say the world needs, because it funds so much of what happens online.

To the adtech business, personal privacy is a bug, not a feature. The whole business is incentivised to violate privacy, because violating privacy pays. No amount of regulatory oversight will fix that. To adtech, paying fines for privacy violations is just a cost of doing business.

The only fix that will work is what people—customers and citizens—bring to the market’s table. With MyTerms, they can do that.

MyTerms addresses the second of the GDPR’s six legal bases: contract. Put simply, here is what  the MyTerms standard says:

  • The person (not a mere data subject) is the first party, and the site or service is the second party.
  • The person proffers a contractual agreement chosen from a limited roster posted on the public website of a disinterested nonprofit, such as Customer Commons (which was created to do for personal contracts what Creative Commons does for personal copyrights—and which the IEEE approached with the idea for making MyTerms a standard).
  • When the second party agrees, both parties keep an identical record, which supports compliance auditing and dispute resolution. (By preserving evidence, this also creates an infrastructure for dispute avoidance as well.)

The GDPR succeeded by recognising natural persons as holders of rights, but it left intact the industrial age convention in which organisations are the exclusive originators of terms at scale. That’s one reason why persons have remained mere data subjects rather than contractual parties.

Fortunately, the Internet’s base protocols are peer-to-peer. Treating people on the Net as mere “users” and “data subjects” limits their agency. With MyTerms, people acquire a status they yielded when industry won the industrial revolution. (Before the industrial age, surnames—Baker, Müller, Weaver,  Lefebvre, Smith, Marchand, Farmer—signified agency: what people did in the world. That’s just one thing we lost when we became workers, executives, consumers, and users.)

In the natural world, privacy is maintained mostly by tacit agreements. In the digital world there is no tacit, so agreements must become explicit and programmable. This is why contracts are the only way we’ll get real personal privacy in the digital world.

It should also be clear by now that polite requests also don’t work. We tried that with Do Not Track, and by the time it finished failing, the adtech lobby had turned it into Tracking Preference Expression—as if we wanted to be tracked all along.

That main pro-consent lobby is the Interactive Advertising Bureau, or IAB. Among its recommendations for the Digital Omnibus are deleting 88b and  improving consent in various ways, such as  “Revise the proposed stricter consent rules.”

The IAB is blind to the simple fact that people hate being spied on and do what they can to stop it—mainly by turning off ads. By 2015, ad blocking was already the biggest boycott in human history. That boycott rose in direct response to obvious tracking, especially with retargeting. (That’s how one ad or advertiser keeps following you from site to site and app to app.)  And the boycott is much bigger now:

The IAB earned all of that. Yet they still see ad blocking and tracking protection as problems to solve rather than clear and constructive signals from the marketplace.

So it should be clear by now that the old brownfield of consent has become a toxic wasteland of surveillance, lost privacy, and minimised human agency—led by an industry that has been hostile to privacy from the start.

In fact, consent is required for what Shoshana Zuboff calls Surveillance Capitalism. That form of capitalism is based on inferred or extracted consent. The only way we can defeat that regime is by re-basing e-commerce on contractual agreements in which customers take the lead. After all, it’s their privacy that needs protection.

The surveillance economy is limited entirely by its methods, which are built around grabbing attention, harvesting data, and guessing at people.

We can replace it with an intention economy that’s based on what customers actually want. The range of those wants far exceeds what companies and their systems can guess at. Far more business, and business improvement, opens up when market intelligence can flow both ways. In the consent/surveillance regime, it can’t, because all relationships are silo’d in sellers’ separate systems, all built to minimize customer interactions, by design. But relationships built on respectful contractual agreements can be far more capacious when those relationships start with forms of mutual trust that whole markets share. That’s what MyTerms makes possible.

Here is a quick outline of some additional benefits.

For customers, the most obvious one is getting rid of cookie notices, which are annoying and not worth the pixels they are printed on.  If a company really does care about personal privacy, it’ll respect personal privacy requirements. This is how things work in the natural world, where tracking people like marked animals has been morally wrong for millennia. In the digital world, however, agreements need to be explicit, so programming and services can be based on them. MyTerms does that.

For business, MyTerms has lots of advantages:

  • Reduced or eliminated compliance risk
  • Competitive differentiation
  • Lower customer churn
  • A basis for real rather than coerced relationships
  • A basis for better signalling in both directions
  • Reduced or eliminated guesswork about what customers want, how they use products and services, and  how both might be improved

Lawyers get a new market for services on both the buy and sell sides of the marketplace. Companies in the CMP (consent management platform) business (e.g. Admiral and OneTrust) have something new and better to sell to enterprises (and perhaps to people as well).

Lawmakers and Regulators can start looking at the Internet and the Web as places where freedom of contract prevails, and contracts of adhesion (such as what you “agree” to with cookie notices) are obsolete.

Developers can have a field day (or decade). Look for these categories to emerge

In the marketplace, we can start to see all these things:

  • VRM + CRM will flourish, as described by Iain Henderson (one of MyTerms’ authors) in Towards Network-Based Ecosystems.
  • We should expect improvements to digital public infrastructure, as relationships move out of Big Tech’s silos and into distributed relationship frameworks based on the Internet’s base peer-to-peer protocols.
  • Predictions I made in The Intention Economy: When Customers Take Charge (Harvard Business Review Press, 2012) and Tim Berners-Lee made in the Attention vs. Intention chapter of This Is for Everyone: The Unfinished Story of the World Wide Web (Farrar, Straus and Giroux, 2025) will finally come true.
  • There will be new dances between customers and companies. (“The Dance” is a closing chapter of The Intention Economy.)
  • New commercial ecosystems can grow around a richer flow of useful information in both directions, based on shared interest and trust between customers and companies.
  • Surveillance capitalism will be obsolesced — and replaced by an economy aligned with personal agency and mutual respect from contractual partners.

And much more.

So it would be helpful for the European Commission to expand its scope from protecting data subjects to empowering first parties. They can do that by welcoming MyTerms in the Omnibus Directive, expanding human agency into a new greenfield where boundless positive outcomes can flourish.


Drafts of myterms agreements are currently posted at MyTerms.info, which is a project of Customer Commons and MyData Global. You can also read more about MyTerms in writings by Iain Henderson, Nitin Badjatia, and me.

We also invite you to join the ProjectVRM list, where we can converse and collaborate on moving MyTerms forward.

The Original and the Eventual Intention Economy

The Intention Economy subtitle. It’s the whole thing, right there.

A recent post by Simon Taylor on X expresses something important about AI agents and markets: if an AI agent arrives in a market with a clear mandate—

Get me X. Budget Y. Constraints Z.

—it obsolesces business-as-usual for digital marketing.

See, all of martech and adtech starts with the assumption that human intent is fuzzy and manipulable—and that the best customers are captive and manipulated. Let’s look at this from three angles, which are also the three things that happen in markets:

  • transactions
  • conversations
  • relationships.

On the transaction side, companies invest heavily in tracking people, analyzing their behavior, targeting ads at them, and then (in many cases) rationalizing extremely wasteful results. Plus, of course, discounting or ignoring boundless negative externalities, such as the annoying people to new extremes and massively abusing personal privacy. (In fact, the system treats absent personal privacy as a base feature.) Anyway, the entire surveillance-based advertising fecosystem exists to guess what people want, or to influence what they might want.

On the relationship side, all we have so far is on the sell side: CRM, for Customer Relationship Management, and CX, for Customer Experience. We’ve been trying here to build (or to encourage building) systems for VRM, for Vendor Relationship Management, to give CRM customer hands to shake. But, in VRM’s absence, CRM is all we’ve got. One hand clapping. Or slapping. Or pushing prospects into a funnel.

What many of us, including Simon Taylor, suggest is facilitating conversation through AI agents. Simon’s case, specifically, is that an agent representing a person doesn’t need to be guessed at. It already knows the user’s intent. So there is no attention to capture and no desire to manufacture or manipulate. The demand signal is clear from the start. That’s why he says agents can collapse the attention economy.

The underlying shift in this direction has been visible for a long time. In The Intention Economy: When Customers Take Charge (Harvard Business Review Press, 2012), I argued that markets work best when customers drive them with clear signals of demand, rather than when sellers try to infer demand through surveillance and unwelcome persuasion. I also said markets can be far richer and more vital when customers and companies operate as equals, with relationships based on mutual interest rather than forms of coercion (such as “loyalty” programs that aren’t).

The work of Vendor Relationship Management (VRM) has been about correcting that imbalance.

Instead of companies managing relationships with customers through CRM (Customer Relationship Management) systems, we need customers able to manage relationships with vendors through VRM (Vendor Relationship Management) tools.

Note that relationship is the middle name of both CRM and VRM. Markets are not just about transactions. They are about relationships that continue over time.

That’s why a working intention economy will involve far more than simple buying transactions.

As Esteban Kolsky once put it, companies often focus almost entirely on the “buy cycle.” But customers live mostly in the “own cycle”—the long period of using, maintaining, fixing, improving, and learning from the products and services they already have:

In an intention economy, intelligence about that experience flows both ways between customers and companies. I wrote about this recently here:

Market intelligence that flows both ways.

VRM has long described one key mechanism for this: intentcasting, where customers signal their needs directly to the market rather than being targeted by guesses and ads.

Agents may make this far more feasible than it was when we first started talking about VRM nearly two decades ago.

But there’s an important point that often gets missed in current AI discussions.

The agency that matters most is the person’s, not the agent’s.

A personal AI agent is an instrument—like a phone, a computer, or a car. It acts on behalf of the individual, but the intention behind it must be the person’s own.

And that leads to another requirement:

The only truly personal agents will be owned and operated by individuals.

We don’t have that yet.

What we have instead are assistants that live inside corporate systems—helpful, sometimes impressive, but ultimately operating within feudal structures run by very large companies.

They are, at best, friendly suction cups on the tentacles of giants.

Individuals may well rent or borrow AI models from those giants. But the agents that represent us should operate inside our own environments, in our exclusive interest, rather than inside corporate systems whose interests may diverge from ours.

In other words, our agents should live in our own castles, not inside someone else’s kingdom.

When that happens—when individuals can show up in markets through tools they control—then the deeper shift becomes possible: from guesswork based on surveillance of captive customers to servicing self-qualified leads from free customers in the open marketplace.

Markets then begin to work the way markets are supposed to work: with demand and supply meeting in the open, in relationships that can last far beyond a single transaction.

This is also where work like MyTerms and the emerging ecosystem around personal AI becomes important. If individuals are to operate in markets through their own agents, those agents need ways to assert the person’s terms, preferences, and boundaries in forms that other systems can recognize and respect.

That is the direction VRM has been pointing for nearly twenty years: toward a world where individuals can arrive in markets with their own tools, their own data, and their own terms—and where markets can finally listen.

When that happens, markets will stop guessing what customers want—and start hearing them.

[Later… I actually wrote this post about a month ago, and put off publishing it while I worked on other things. Meanwhile, Adrian Gropper posted A Fork in the Road, which is required reading. I thank him for reminding me in the comments below, and for being a founding participant in ProjectVRM—going back to our earliest meetings almost 20 years ago.]

The Only Way to Get Privacy Online

No regulation to make organizations respect personal privacy will work.

We’ve had cookie laws since the ’00s, the GDPR since the ’10s, and the CCPA since 2020. None of them has worked.

All those regulations are aimed at reducing the power of organizations to violate personal privacy. None is to empower people. That’s why, under those regulations, all we can do is agree to the terms organizations provide. We have no independent agency.  All we have is what they promise, and their promises aren’t worth the pixels they’re printed on.

The only way we will get privacy is with contracts, which are laws that two parties make for themselves.

And the only way to make contracts work, at scale, is if we are the ones proffering those terms as first parties, and organizations agree to them as second parties. This flips the script on business-as-usual online.

By the old script, privacy is a grace of corporate obedience to selections in cookie notices, many of which provide no choice at all. There is “Accept,” and that’s it. In that case, all you’re accepting is a corporate privacy policy, which is typically just a fig leaf over the company’s hard-on for personal data.

Regardless of what you do with a cookie notice, chances are the company still tracks you like a marked animal.  See here and here. You also have no easy of auditing compliance, because you keep no record of your “choices.” And we have that system because the incentives are worse than misaligned: they are completely broken.

See, if you are a typical website, you get paid for allowing third parties to harvest visitors’ personal data and use it to aim personalized advertising at their eyeballs. This is morally wrong on its face, but easily rationalized because it pays.

In the natural world, a store would never plant tracking beacons on every shopper, or require those shoppers to “choose” privacy protections by stripping naked and then selecting the purposes to which their personal tracking beacons will be put. Shoppers would avoid that store like the plague,

However, on the Net and the Web, we haven’t yet invented privacy, just as we hadn’t in the natural world before we invented clothing and shelter. So, on the Net and the Web, we are still naked as fish. As a result, a plague of near-ubiquitous surveillance has been raging online for decades. It is nearly impossible to avoid getting infected.

Most of that surveillance is for the $742 Billion surveillance-fed fecosystem* called adtech. And the only way we can obsolesce it is with a business ecosystem that works for everyone: customers and companies alike, and together.

We can do that now, with MyTerms.

MyTerms is the nickname for IEEE P7012 Standard for Machine Readable Personal Privacy Terms, which will be published next week after eight years in the works. (I chair the working group.)

It describes a protocol in the diplomatic sense: a way to reach and record agreements. Here is a diagram that shows how it works:

It is also the ultimate product of ProjectVRM, which began in 2006 with a mission: to prove that free customers are more valuable than captive ones—to companies, to markets, and to themselves. It was to ProjectVRM’s nonprofit spinoff, Customer Commons, that the IEEE came in 2017 with the challenge to create the MyTerms standard.

Of course, every agreement needs to be good for both sides. Right now we have five draft agreements for that. SD-BASE says “Service Delivery only.” This one requires that the site or service provide the visitor only what the visitor came for, and not to share personal data with third parties. This will make the site or service more inviting. (Customer Commons also plans to offer a trustmark to sites and services that sign MyTerms Agreements.) Lots of other mutually respectful agreements can also be built on top of SD-BASE: agreements that respect personal agency as well as privacy.

Other initial MyTerms agreements cover data portability, intentcasting, data-for-good, and AI training.

MyTerms will foster businesses and business methods that the surveillance fecosystem prevents. We describe how that will work, and some of the businesses MyTerms will create and improve, in The Cluetrain Will Run from Customers to Companies.

Of course, we need to develop tools and services for making that cluetrain run.  Please tell us what you’ve got or plan.

The place to list those is in a new section of our Developments page. We also need to re-write and condense our privacy manifesto, and welcome help with both.

We also need to thank our many teams over the past two decades for jobs well done, even if many of those jobs didn’t go anywhere, mostly because they were too early.

Now is the time, because the world is fed up with surveillance—and it is easier than ever to develop tools and services using AI.

MyTerms will be announced on 28 January at this event in the Imperial Business School and online. Please come.


*The word fecosystem is apropos, kinda like Cory Doctorow’s ensittification. Spread both words.

A New Way

Cross-posted from Customer Commons

Some questions:

  1. Why do you always have to accept websites’ terms? And why do you have no record of your own of what you accepted, or when‚ or anything?
  2. Why do you have no way to proffer your own terms, to which websites can agree?
  3. Why did Do Not Track, which was never more than a polite request not to be tracked off a website, get no respect from 99.x% of the world’s websites? And how the hell did Do Not Track turn into the Tracking Preference Expression at the W2C, where the standard never did get fully baked?
  4. Why, after Do Not Track failed, did hundreds of millions—or perhaps billions—of people start blocking ads, tracking or both, on the Web, amounting to the biggest boycott in world history? And then why did the advertising world, including nearly all advertisers, their agents, and their dependents in publishing, treat this as a problem rather than a clear and gigantic message from the marketplace?
  5. Why are the choices presented to you by websites called your choices, when all those choices are provided by them? And why don’t you give them choices?
  6. Why does the GDPR call people mere “data subjects,” and assign the roles “data controller” and “data processor” only to other parties?* And why are nearly all the 200+million results in a search for GDPR+compliance about how companies can obey the letter of the law while violating its spirit (by continuing to track people)?
  7. Why does the CCPA give you the right to ask to have back personal data others have gathered about you on the Web, rather than forbid its collection in the first place? (Imagine a law that assumes that all farmers’ horses are gone from their barns, but gives those farmers a right to demand horses back from those who took them. It’s kinda like that.)
  8. Why, 22 years after The Cluetrain Manifesto said, we are not seats or eyeballs or end users or consumers. we are human beings and our reach exceeds your grasp. deal with it. —is that statement still not true?
  9. Why, 9 years after Harvard Business Review Press published The Intention Economy: When Customers Take Charge, has that not happened? (Really, what are you in charge of in the marketplace that isn’t inside companies’ silos and platforms?)

The easiest answer to all of those is the cookie.  Partly because without it none of those questions would be asked, and partly because it’s at the center of attention for everyone who cares today about the issues involved in those quesions.

The idea behind the cookie (way back in 1994, when Lou Montulli thought it up) was for a site to remember its visitors by planting reminder files—cookies—in visitors’ browsers. That would make it easy for site visitors to pick up where they left off when they arrived back. It was an innocent idea at the time; but it reified a construct: one that has permanently subordinated visitors to websites.

And it has thus far proven impossible to change that construct. It is, alas, the way the Web works.

Hey, maybe we can still change it. But why bother when there should be any number of other ways for demand and supply to signal each other in a networked marketplace? Better ways: ones that don’t depend on sites, search engines, social media and other parties inferring, mostly through surveillance, what might be “relevant” or “interest-based” for the individual? Ones that give individuals full agency and signaling power?

So we’d like to introduce one. It’s called the Intention Byway. It’s the brain-baby of our CTO, Hadrian Zbarcea, and it is informed by his ample experience with the Apache Software Foundation, SWIFT, the FAA and other enterprises large and small.

In this model, the byway is the path along which messages signaling intent travel between individuals and companies (or anyone), each of which has a simple computer called an intentron, which sends and receives those messages, and also executes code for the owner’s purposes as a participant in the open marketplace the Internet was designed to support.

As computers (which can be physical or virtual), intentrons run apps that can come from any source in the free and open marketplace, and not just from app stores of controlling giants such as Apple and Google. These apps can run algorithms that belong to you, and can make useful sense of your own data. (For example, data about finances, health, fitness, property, purchase history, subscriptions, contacts, calendar entries—all those things that are currently silo’d or ignored by silo builders that want to trap you inside their proprietary systems.) The same apps also don’t need to be large. Early prototypes have less than 100 lines of code.

Messages called intentcasts can be sent from intentrons to markets on the pub-sub model, through the byway, which is asynchronous, similar to email in the online world and package or mail forwarding in the offline world. Subscribers on the sell side will be listening for signals from markets for anything. Name a topic, and there’s something to subscribe to. Intentcasts on the customers’ side are addressed to markets by topical name. Responsibilities along the way are handled by messaging and addressing authorities. Addresses themselves are URNs, or Uniform Resource Names.

These are some businesses that can thrive along the Intention Byway:

  • Intentron makers
  • Intentron sellers
  • App makers
  • App sellers (or stores)
  • Addressing authorities
  • Messaging authorities
  • Message routers (operating like CDNs, or content distribution networks)

—in addition to sellers looking for better signals from the demand side of the market than surveillance-based guesswork can begin to equal.

We are not looking to boil an ocean here (though we do see our strategy as a blue one). The markets first energized by the promise of this model are local and vertical. Real estate in Boston and farm-to-table in Michigan are the two we featured on VRM/CuCo Day and in all three days of the Internet Identity Workshop, which all took place last week. Over the coming days and weeks, we will post details on how the Intention Byway works, starting with those two markets.

We also see the Intention Byway as complementary to, rather than competitive with, developments with similar ambitions, such as SSI, DIDcomm, picos, and JLINC. Once we take off our browser blinders, a gigantic space for new e-commerce development appears. All of those, and many more, will have work to do in it.

So stay tuned for more about life after cookies—and outside the same old bakery.


*Specifically, a “data controller” is “a legal or natural person, an agency, a public authority, or any other body who, alone or when joined with others, determines the purposes of any personal data and the means of processing it.”

While this seems to say that any one of us can be a data controller, that was not what the authors of the GDPR had in mind. They only wanted to maximize the width of the category to include solo operators, rather than to include the individual from whom personal data is collected. (Read what follows from that last link to see what I mean.) Still, this is a loophole through which personal agency can move, because (says the GDPR) the “data subject” whose rights the GDPR protects, is a “natural person.”

On privacy fundamentalism

This is a post about journalism, privacy, and the common assumption that we can’t have one without sacrificing at least some of the other, because (the assumption goes), the business model for journalism is tracking-based advertising, aka adtech.

I’ve been fighting that assumption for a long time. People vs. Adtech is a collection of 129 pieces I’ve written about it since 2008.  At the top of that collection, I explain,

I have two purposes here:

  1. To replace tracking-based advertising (aka adtech) with advertising that sponsors journalism, doesn’t frack our heads for the oil of personal data, and respects personal freedom and agency.

  2. To encourage journalists to grab the third rail of their own publications’ participation in adtech.

I bring that up because Farhad Manjoo (@fmanjoo) of The New York Times grabbed that third rail, in a piece titled  I Visited 47 Sites. Hundreds of Trackers Followed Me.. He grabbed it right here:

News sites were the worst

Among all the sites I visited, news sites, including The New York Times and The Washington Post, had the most tracking resources. This is partly because the sites serve more ads, which load more resources and additional trackers. But news sites often engage in more tracking than other industries, according to a study from Princeton.

Bravo.

That piece is one in a series called the  Privacy Project, which picks up where the What They Know series in The Wall Street Journal left off in 2013. (The Journal for years had a nice shortlink to that series: wsj.com/wtk. It’s gone now, but I hope they bring it back. Julia Angwin, who led the project, has her own list.)

Knowing how much I’ve been looking forward to that rail-grab, people  have been pointing me both to Farhad’s piece and a critique of it by  Ben Thompson in Stratechery, titled Privacy Fundamentalism. On Farhad’s side is the idealist’s outrage at all the tracking that’s going on, and on Ben’s side is the realist’s call for compromise. Or, in his words, trade-offs.

I’m one of those privacy fundamentalists (with a Manifesto, even), so you might say this post is my push-back on Ben’s push-back. But what I’m looking for here is not a volley of opinion. It’s to enlist help, including Ben’s, in the hard work of actually saving journalism, which requires defeating tracking-based adtech, without which we wouldn’t have most of the tracking that outrages Farhad. I explain why in Brands need to fire adtech:

Let’s be clear about all the differences between adtech and real advertising. It’s adtech that spies on people and violates their privacy. It’s adtech that’s full of fraud and a vector for malware. It’s adtech that incentivizes publications to prioritize “content generation” over journalism. It’s adtech that gives fake news a business model, because fake news is easier to produce than the real kind, and adtech will pay anybody a bounty for hauling in eyeballs.

Real advertising doesn’t do any of those things, because it’s not personal. It is aimed at populations selected by the media they choose to watch, listen to or read. To reach those people with real ads, you buy space or time on those media. You sponsor those media because those media also have brand value.

With real advertising, you have brands supporting brands.

Brands can’t sponsor media through adtech because adtech isn’t built for that. On the contrary, >adtech is built to undermine the brand value of all the media it uses, because it cares about eyeballs more than media.

Adtech is magic in this literal sense: it’s all about misdirection. You think you’re getting one thing while you’re really getting another. It’s why brands think they’re placing ads in media, while the systems they hire chase eyeballs. Since adtech systems are automated and biased toward finding the cheapest ways to hit sought-after eyeballs with ads, some ads show up on unsavory sites. And, let’s face it, even good eyeballs go to bad places.

This is why the media, the UK government, the brands, and even Google are all shocked. They all think adtech is advertising. Which makes sense: it looks like advertising and gets called advertising. But it is profoundly different in almost every other respect. I explain those differences in Separating Advertising’s Wheat and Chaff

To fight adtech, it’s natural to look for help in the form of policy. And we already have some of that, with the GDPR, and soon the CCPA as well. But really we need the tech first. I explain why here:

In the physical world we got privacy tech and norms before we got privacy law. In the networked world we got the law first. That’s why the GDPR has caused so much confusion. It’s the regulatory cart in front of the technology horse. In the absence of privacy tech, we also failed to get the norms that would normally and naturally guide lawmaking.

So let’s get the tech horse back in front of the lawmaking cart. With the tech working, the market for personal data will be one we control. For real.

If we don’t do that first, adtech will stay in control. And we know how that movie goes, because it’s a horror show and we’re living in it now.

The tech horse is a collection of tools that provide each of us with ways both to protect our privacy and to signal to others what’s okay and what’s not okay, and to do both at scale. Browsers, for example, are a good model for that. They give each of us, as users, scale across all the websites of the world. We didn’t have that when the online world for ordinary folk was a choice of Compuserve, AOL, Prodigy and other private networks. And we don’t have it today in a networked world where providing “choices” about being tracked are the separate responsibilities of every different site we visit, each with its own ways of recording our “consents,” none of which are remembered, much less controlled, by any tool we possess. You don’t need to be a privacy fundamentalist to know that’s just fucked.

But that’s all me, and what I’m after. Let’s go to Ben’s case:

…my critique of Manjoo’s article specifically and the ongoing privacy hysteria broadly…

Let’s pause there. Concern about privacy is not hysteria. It’s a simple, legitimate, and personal. As Don Marti and and I (he first) pointed out, way back in 2015, ad blocking didn’t become the biggest boycott in world history in a vacuum. Its rise correlated with the “interactive” advertising business giving the middle finger to Do Not Track, which was never anything more than a polite request not to be followed away from a website:

Retargeting, (aka behavioral retargeting) is the most obvious evidence that you’re being tracked. (The Onion: Woman Stalked Across Eight Websites By Obsessed Shoe Advertisement.)

Likewise, people wearing clothing or locking doors are not “hysterical” about privacy. That people don’t like their naked digital selves being taken advantage of is also not hysterical.

Back to Ben…

…is not simply about definitions or philosophy. It’s about fundamental assumptions. The default state of the Internet is the endless propagation and collection of data: you have to do work to not collect data on one hand, or leave a data trail on the other.

Right. So let’s do the work. We haven’t started yet.

This is the exact opposite of how things work in the physical world: there data collection is an explicit positive action, and anonymity the default.

Good point, but does this excuse awful manners in the online world? Does it take off the table all the ways manners work well in the offline world—ways that ought to inform developments in the online world? I say no.

That is not to say that there shouldn’t be a debate about this data collection, and how it is used. Even that latter question, though, requires an appreciation of just how different the digital world is from the analog one.

Consider it appreciated. (In my own case I’ve been reveling in the wonders of networked life since the 80s. Examples of that are thisthis and this.)

…the popular imagination about the danger this data collection poses, though, too often seems derived from the former [Stasi collecting highly personal information about individuals for very icky purposes] instead of the fundamentally different assumptions of the latter [Google and Facebook compiling massive amounts of data to be read by machines, mostly for non- or barely-icky purposes]. This, by extension, leads to privacy demands that exacerbate some of the Internet’s worst problems.

Such as—

• Facebook’s crackdown on API access after Cambridge Analytica has severely hampered research into the effects of social media, the spread of disinformation, etc.

True.

• Privacy legislation like GDPR has strengthened incumbents like Facebook and Google, and made it more difficult for challengers to succeed.

True.

Another bad effect of the GDPR is urging the websites of the world to throw insincere and misleading cookie notices in front of visitors, usually to extract “consent” that isn’t, to exactly what the GDPR was meant to thwart.

• Criminal networks from terrorism to child abuse can flourish on social networks, but while content can be stamped out private companies, particularly domestically, are often limited as to how proactively they can go to law enforcement; this is exacerbated once encryption enters the picture.

True.

Again, this is not to say that privacy isn’t important: it is one of many things that are important. That, though, means that online privacy in particular should not be the end-all be-all but rather one part of a difficult set of trade-offs that need to be made when it comes to dealing with this new reality that is the Internet. Being an absolutist will lead to bad policy (although encryption may be the exception that proves the rule).

It can also lead to good tech, which in turn can prevent bad policy. Or encourage good policy.

Towards Trade-offs
The point of this article is not to argue that companies like Google and Facebook are in the right, and Apple in the wrong — or, for that matter, to argue my self-interest. The truth, as is so often the case, is somewhere in the middle, in the gray.

Wearing pants so nobody can see your crotch is not gray. That an x-ray machine can see your crotch doesn’t make personal privacy gray. Wrong is wrong.

To that end, I believe the privacy debate needs to be reset around these three assumptions:
• Accept that privacy online entails trade-offs; the corollary is that an absolutist approach to privacy is a surefire way to get policy wrong.

No. We need to accept that simple and universally accepted personal and social assumptions about privacy offline (for example, having the ability to signal what’s acceptable and what is not) is a good model for online as well.

I’ll put it another way: people need pants online. This is not an absolutist position, or even a fundamentalist one. The ability to cover one’s private parts, and to signal what’s okay and what’s not okay for respecting personal privacy are simple assumptions people make in the physical world, and should be able to make in the connected one. That it hasn’t been done yet is no reason to say it can’t or shouldn’t be done. So let’s do it.

• Keep in mind that the widespread creation and spread of data is inherent to computers and the Internet,

Likewise, the widespread creation and spread of gossip is inherent to life in the physical world. But that doesn’t mean we can’t have civilized ways of dealing with it.

and that these qualities have positive as well as negative implications; be wary of what good ideas and positive outcomes are extinguished in the pursuit to stomp out the negative ones.

Tracking people everywhere so their eyes can be stabbed with “relevant” and “interest-based” advertising, in oblivity to negative externalities, is not a good idea or a positive outcome (beyond the money that’s made from it).  Let’s at least get that straight before we worry about what might be extinguished by full agency for ordinary human beings.

To be clear, I know Ben isn’t talking here about full agency for people. I’m sure he’s fine with that. He’s talking about policy in general and specifically about the GDPR. I agree with what he says about that, and roughly about this too:

• Focus policy on the physical and digital divide. Our behavior online is one thing: we both benefit from the spread of data and should in turn be more wary of those implications. Making what is offline online is quite another.

Still, that doesn’t mean we can’t use what’s offline to inform what’s online. We need to appreciate and harmonize the virtues of both—mindful that the online world is still very new, and that many of the civilized and civilizing graces of life offline are good to have online as well. Privacy among them.

Finally, before getting to the work that energizes us here at ProjectVRM (meaning all the developments we’ve been encouraging for thirteen years), I want to say one final thing about privacy: it’s a moral matter. From Oxford, via Google: “concerned with the principles of right and wrong behavior” and “holding or manifesting high principles for proper conduct.”

Tracking people without their clear invitation or a court order is simply wrong. And the fact that tracking people is normative online today doesn’t make it right.

Shoshana Zuboff’s new book, The Age of Surveillance Capitalism, does the best job I know of explaining why tracking people online became normative—and why it’s wrong. The book is thick as a brick and twice as large, but fortunately Shoshana offers an abbreviated reason in her three laws, authored more than two decades ago:

First, that everything that can be automated will be automated. Second, that everything that can be informated will be informated. And most important to us now, the third law: In the absence of countervailing restrictions and sanctions, every digital application that can be used for surveillance and control will be used for surveillance and control, irrespective of its originating intention.

I don’t believe government restrictions and sanctions are the only ways to  countervail surveillance capitalism (though uncomplicated laws such as this one might help). We need tech that gives people agency and companies better customers and consumers.  From our wiki, here’s what’s already going on. And, from our punch list, here are some exciting TBDs, including many already in the works already:

I’m hoping Farhad, Ben, and others in a position to help can get behind those too.

A citizen-sovereign way to pay for news—or for any creative work

The Aspen Institute just published a 180-page report by the Knight Commission on Trust, Media and Democracy titled  (in all caps) CRISIS IN DEMOCRACY: RENEWING TRUST IN AMERICA. Its Call to Action concludes,
This is good. Real good.  Having  Aspen and Knight endorse personal sovereignty as a necessity for solving the crises of democracy and trust also means they endorse what we’ve been pushing forward here for more than a dozen years.

Since the report says (under Innovation, on page 73) we need to “use technology to enhance journalism’s roles in fostering democracy,” and that “news companies need to embrace technology to support their mission and achieve sustainability,” it should help to bring up the innovation we proposed in an application for a Knight News Challenge grant in 2011. This innovation was, and still is, called EmanciPay. It’s a citizen-sovereign way to pay for news, plus all forms of creative production where there is both demand and failing or absent sources of funding.

We have not only needed this for a long time, but it is for lack of it (or of any original and market-based approach to paying for creative work) that the EU is poised to further break our one Internet into four or more parts and destroy the open Web that has done so much to bring the world together and generate near-boundless forms of new wealth, inclusivity, equality, productivity and other good nouns ending in ty. The EU’s hammer for breaking the open Web is the EU Copyright Directive,  which has been under consideration and undergoing steady revision since 2016. Cory Doctorow, writing for the EFF, says The Final Version of the EU’s Copyright Directive Is the Worst One Yet. One offense (among too many to list here):

Under the final text, any online community, platform or service that has existed for three or more years, or is making €10,000,001/year or more, is responsible for ensuring that no user ever posts anything that infringes copyright, even momentarily. This is impossible, and the closest any service can come to it is spending hundreds of millions of euros to develop automated copyright filters. Those filters will subject all communications of every European to interception and arbitrary censorship if a black-box algorithm decides their text, pictures, sounds or videos are a match for a known copyrighted work. They are a gift to fraudsters and criminals, to say nothing of censors, both government and private.

There are much better ways of getting the supply and demand sides of creative markets together. EmanciPay is one of them, and deserves another airing.

Perhaps now that Knight and Aspen are cheering the citizen-sovereign bandwagon, it’s worth welcoming the fact that our original EmanciPay proposal in open source form.

So here it is, copied and pasted out of the last draft before we submitted it. Since much has changed since then (other than the original idea, which is the same as ever only more timely), I’ve added a bunch of notes at the end, and a call for action. Before reading it, please note two things: 1) we are not asking for money now (we were then, but not now); and 2) while this proposal addresses the challenge of paying for news, it applies much more broadly to all creative work.

10:00pm Monday 31 January 2011

Project Title:

EmanciPay: a user-driven system for generating revenue and managing relationships

Requested amount from Knight News Challenge

$325,000

Describe your project:

EmanciPay is the first user-driven payment system for news and information media. It is also the first system by which the consumers of media can create and participate in relationships with media — and the first system to reform the legal means by which those relationships are created and sustained.

With EmanciPay, users can easily choose to pay whatever they like, whenever they like, however they like — on their own terms and not just those controlled by the media’s supply side. EmanciPay will also provide means for building genuine two-way relationships, rather than relationships defined by each organization’s subscription and membership systems. As with Creative Commons, terms will be expressed in text and symbols that can be read easily by both software and people.

While there is no limit to payment choice options with EmanciPay, we plan to test these one at a time. The first planned trials are with Tipsy, which is being developed in alongside EmanciPay, and which also has a Knight News Challenge application. The two efforts are cooperative and coordinated.

EmanciPay belongs to a growing family of VRM (Vendor Relationship Management) tools. Both EmanciPay and VRM grew out of work in ProjectVRM, which I launched in 2006, at the start of my fellowship with Harvard’s Berkman Center for Internet & Society. In the past four years the VRM development community has grown internationally and today involves many allied noncommercial and commercial efforts. Here is the current list of VRM development projects.

How will your project improve the delivery of news and information to geographic communities?:

Two ways.

First is with a new business model. Incumbent local and regional media currently have three business models: paid delivery (subscriptions and newsstand sales), advertising, and (in the case of noncommercial media) appeals for support. All of these have well-known problems and limitations. They are also controlled in a top-down way by media organizations. By reducing friction and lowering the threshold of payment, EmanciPay will raise the number of customers while also providing direct and useful intelligence about the size and nature of demand. This supports geographic customisation of news and information goods.

Second is by providing ways for both individuals and news organizations to create and sustain relationships that go beyond “membership” (which in too many cases means little more than “we gave money”). EmanciPay will also help consumers of news participate in the news development process. Because EmanciPay is based on open source code and open standards, it can be widely adopted and adapted to meet local needs. CRM (customer relationship management) software companies, many of which supply CRM systems to media organizations, are also awaiting VRM developments. (The cover and much of this CRM Magazine are devoted to VRM.)

What unmet need does your proposal answer?:

EmanciPay meets the need for maximum freedom and flexibility in paying for news and information, and for a media business model that does not depend only on advertising, membership systems, large donors or government grants. (This last one is of special interest at a time when cutting government funding of public broadcasting is a campaign pledge by many freshly elected members of Congress.)

Right now most news and information is free of charge on the Web, even when the same goods are sold on newsstands or through cable TV subscriptions. This fact, plus cumbersome and widely varied membership, pledging and payment systems, serves to discourage payment by media users. Even the membership systems of public broadcasting stations exclude vast numbers of people who would contribute “if it was easy”. EmanciPay overcomes these problems by making it easy for consumers of news to become customers of news. It also allows users to initiate real and productive relationships with news organizations, whether or not they pay those organizations.

How is your idea new?:

Equipping individuals with their own tools for choosing what and how to pay, and for creating and maintaining relationships, is a new idea. Nearly all other sustainability ideas involve creating new intermediators or working on improving services on the supply side.

Tying sustainability to meaningful relationships (rather than just “membership” is also new). So is creating means by which individuals can assert their own “terms of service” — and match those terms with those on the supply side.

EmanciPay is also new in the scope of its ambition. Beyond creating a large new source of revenues, and scaffolding meaningful relationships between supply and demand, EmanciPay intends to remove legal frictions from the marketplace as well. What lawyers call contracts of adhesion (ones in which the dominant party is free to change what they please while the submissive party is nailed to whatever the dominant party dictates) have been pro forma on the Web since the invention of the cookie in 1995. EmanciPay is the first and only system intended to obsolete and replace these onerous “agreements” (which really aren’t).

Once in place and working, EmanciPay’s effects should exceed even those of Creative Commons, because EmanciPay addresses the demand as well as the supply side of the marketplace. And, like Creative Commons, EmanciPay does not require changes in standing law.

Finally, EmanciPay is new in the sense that it is not centralized, and does not require an intermediary. As with email (the protocols of which are open and decentralized, by design), EmanciPay supports both self-hosting and hosting in “the cloud.” It is also both low-level and flexible enough to provide base-level building material for any number of new businesses and services.

What will you have changed by the end of the project?:

First, we will have changed the habits and methods by which people pay for the media goods they receive, starting with news and information.

Second, we will have introduced relationship systems that are not controlled by the media, but driven instead by the individuals who are each at the centers of their own relationships with many different entities. Thus relationships will be user-driven and not just organization-driven.

Third, we will have created a new legal framework for agreements between buyers and sellers on the Web and in the networked world, eliminating many of the legal frictions involved in today’s e-commerce systems.

Fourth, we will have introduced to the world an intention economy, based on the actual intentions of buyers, rather than on guesswork by sellers about what customers might buy. (The latter is the familiar “attention economy” of advertising and promotion.)

Why are you the right person or team to complete this project?:

I know how to get ideas and code moving in the world. I’ve done that while running ProjectVRM for the last four years. As of today VRM tools are being developed in many places, by many programmers, in both commercial and noncommercial capacities, around the world, Those places include BostonLondonJohannesburgDubuqueSantiagoBelfastSalt Lake CitySanta BarbaraVienna, and Seattle. Much of this work has also been advanced at twice-yearly IIW (Internet Identity Workshop) events, which I co-founded in 2005 and continue to help organize.

As Senior Editor of Linux Journal, I’ve been covering open source code development since 1996, contributing to its understanding and widespread adoption. For that and related work, I received a Google-O’Reilly Open Source Award for “Best Communicator” in 2005.

I helped reform both markets and marketing as a co-author of The Cluetrain Manifesto, a business bestseller in 2000 that has since become part of the marketing canon. (As of today, Cluetrain is cited by more than 5300 other books.) I also coined Cluetrain’s most-quoted line, “Markets are conversations.”

I helped popularize blogging, a subject to which I have been contributing original thinking and writing since 1999. I also have more than 12,000 followers on Twitter.

EmanciPay is also my idea, and one I have been working on for some time. This includes collaboration with PRX and other members of the public radio community on ListenLog (the brainchild of Keith Hopper at NPR), which can be found today on the Public Radio Player, an iPhone app that has been downloaded more than 2 million times. I am also working on EmanciPay with students at MIT/CSAIL and Kings College London. The MIT/CSAIL collaboration is led by David Karger of the MIT faculty, and ties in with work he and students are doing with Haystack and Tipsy.

I’ve also contributed to other VRM development efforts — on identity and trust frameworks, on privacy assurance, on selective disclosure of personal data, and on personal data stores (PDSes), all of which will help support EmanciPay as it is deployed.

What terms best describe your project?:

Bold, original, practical, innovative and likely to succeed.

What tasks/benchmarks need to be accomplished to develop your project and by when will you complete them? (500 words)

1) Engaging of programmers at MIT and other institutions within two months.

2) Establishment of Customer Commons (similar to Creative Commons) within two months.

3) Getting EmanciPay into clinical law case study by classes at law schools, one semester after the grant money arrives.

4) Beta-level code within six months.

5) Recruitment of first-round participating media entities (journals, sites, blogs, broadcast stations — completed within six months.

6) Relationships established with PayPal, Google Checkout and other payment intermediators within six months.

7) Tipsy trials within three months after beta-level code is ready.

8) Full EmanciPay trials within six months after beta-level code is ready.

9) Research protocols completed by the time beta code is ready.

How will you measure progress?: (500 words)

1) Involvement in open source code development by programmers other than those already paid or engaged (for example, as students) for the work

2) Completion of code

3) Deployment in target software and devices

4) Cooperation by allied development .orgs and .coms

5) Adoption and use by individuals

6) Direct financial benefit for news organizations.

All are measurable. We can count programmers working on code bases, as well as patches and lines of code submitted and added. We can see completed code in downloadable and installable form in the appropriate places. We can see and document cooperation by organizations. We can count downloads and monitor activities by users (with their permission). And we can see measurable financial benefits to news and information organizations. Researching each of these will be part of the project. For example, we will need to provide on our website, or directly, descriptions of accounting methods for the organizations that will benefit directly from individual contributions.

Do you see any risk in the development of your project?: (500 words)

EmanciPay is likely to be seen as disruptive by organizations that are highly vested in existing forms of funding. One example is public broadcasting, which has relied on fund drives for decades.

There is also a fear that EmanciPay will raise the number of contributors while lowering the overall funding dollar amount spent by contributors. I don’t expect that to happen. What I do expect is for the market to decide — and for EmanciPay to provide the means. Fortunately, EmanciPay also provides means for non-monetary relationships to grow as well, which will raise the perception of value by users and customers, and the likelihood that more users will become customers.

How will people learn about what you are doing?: (500 words) remaining

We will blog about it, talk about it at conferences, tweet about it, and use every other personal and social medium to spread the word. And we will use traditional media relations as well — which shouldn’t be too hard, since we will be working to bring more income to those media.

We have a good story about an important cause. I’m good at communicating and driving stories forward, and I and have no doubt that the effort will succeed.

Is this a one-time experiment or do you think it will continue after the grant?: (500 words)

EmanciPay will continue after the grant because it will become institutionalized within the fabric of the economy, as will its allied efforts.

In addition to the Knight News Challenge, does your project rely on other revenue sources? (Choose all that apply):

[ ] Advertising
[ ] Paid Subscriptions
[ x ] Crowd-Funded
[ ] Earned Income
[ ] Syndication
[ ] Other

Here’s what happened after that.

  1. Customer Commons was incorporated as a California-based 501(3)(c) nonprofit shortly after this was submitted.  (It is also currently cited in this CNN story  and this one by Fox News.) Almost entirely bootstrapped, Customer Commons has established itself as a Creative Commons-like place where model personal privacy policies and terms of engagement that individuals proffer as first parties can live. Those terms are among a number of other tools for exercising citizen sovereign powers. “CuCo” also plans, immodestly, to be a worldwide membership organization, comprised entirely of customers (possible slogan: “We’re the hundred percent”). In that capacity, it will hold events, publish, develop customer-side code that’s good for both customers and businesses (e.g. a shopping cart of your own that you can take from site to site), and lobby for policies that respect the natural sovereignty and power of customers in the digital world. After years of prep, and not much asking, Customer Commons is at last ready to accept funding, and to start scaling up. If you have money to invest in grass roots citizen-sovereign work, that’s a good place to do it.
  2. Commercial publishers, including nearly all the world’s websites (or so it seems) became deeply dependent on adtech—tracking based advertising—for income. (I reviewed that history here in 2015.) We’ve been fighting that. So have governments. Both the GDPR in Europe and the California Consumer Privacy Act were called to existence by privacy abuses funded by adtech. (Seriously, without adtech, those laws wouldn’t have happened.)
  3. The current VRM developments list is a large and growing one. So is our list of participants.
  4. Some of the allied projects mentioned in the proposal are gone or have morphed. But some are still there, and there are many other potential collaborators.
  5. Fintech has become a thing, along with blockchain, distributed ledgers and other person-driven solutions to the problem of excessive centralization.
  6. The word cluetrain is now mentioned in more than 13,000 books. And, twenty years since it was first uttered, cluetrain is also tweeted almost constantly.
  7. I am now editor-in-chief of Linux Journal, the first publication ready  to accept terms proffered by readers, starting with a Customer Commons one dubbed #NoStalking.

That list could go on, but it’s not what matters.

What matters is that EmanciPay was a great idea when we proposed it in the first place, and a better idea now. With the right backing, it can scale.

If you want to solve the problem of paying for news (or all of journalism), there is not a more democratic, fair, trust-causing and potentially massive idea on the table, for doing exactly that, than EmanciPay. And nobody is better potentiated to address lots of other problems and  goals laid out in that Knight Commission report. One example: An immodest proposal for the music industry.

If you’re interested, talk to me.

Why personal agency matters more than personal data

Lately a lot of thought, work and advocacy has been going into valuing personal data as a fungible commodity: one that can be made scarce, bought, sold, traded and so on.  While there are good reasons to challenge whether or not data can be property (see Jefferson and  Renieris), I want to focus on a different problem: the one best to solve first: the need for personal agency in the online world.

I see two reasons why personal agency matters more than personal data.

The first reason we have far too little agency in the networked world is that we settled, way back in 1995, on a model for websites called client-server, which should have been called calf-cow or slave-master, because we’re always the weaker party: dependent, subordinate, secondary. In defaulted regulatory terms, we clients are mere “data subjects,” and only server operators are privileged to be “data controllers,” “data processors,” or both.

Fortunately, the Net’s and the Web’s base protocols remain peer-to-peer, by design. We can still build on those. And it’s early.

A critical start in that direction is making each of us the first party rather than the second when we deal with the sites, services, companies and apps of the world—and doing that at scale across all of them.

Think about how much more simple and sane it is for websites to accept our terms and our privacy policies, rather than to force each of us, all the time, to accept their terms, all expressed in their own different ways. (Because they are advised by different lawyers, equipped by different third parties, and generally confused anyway.)

Getting sites to agree to our own personal terms and policies is not a stretch, because that’s exactly what we have in the way we deal with each other in the physical world.

For example, the clothes that we wear are privacy technologies. We also have  norms that discourage others from doing rude things, such as sticking their hands inside our clothes without permission.

We don’t yet have those norms online, because we have no clothing there. The browser should have been clothing, but instead it became an easy way for adtech and its dependents in digital publishing to plant tracking beacons on our naked digital selves, so they could track us like marked animals across the digital frontier. That this normative is no excuse. Tracking people without their conscious and explicit invitation—or a court order—is morally wrong, massively rude, and now (at least hopefully) illegal under the GDPR and other privacy laws.

We can easily create privacy tech, personal terms and personal privacy policies that are normative and scale for each of us across all the entities that deal with us. (This is what ProjectVRM’s nonprofit spin-off, Customer Commons, is about.)

It is the height of fatuity for websites and services to say their cookie notice settings are “your privacy choices” when you have no power to offer, or to make, your own privacy choices, with records of those choices that you keep.

The simple fact of the matter is that businesses can’t give us privacy if we’re always the second parties clicking “agree.” It doesn’t matter how well-meaning and GDPR-compliant those businesses are. Making people second parties in all cases is a design flaw in every standing “agreement” we “accept.” And we need to correct that.

The second reason agency matters more than data is that nearly the entire market for personal data today is adtech, and adtech is too dysfunctional, too corrupt, too drunk on the data it already has, and absolutely awful at doing what they’ve harvested that data for, which is so machines can guess at what we might want before they shoot “relevant” and “interest-based” ads at our tracked eyeballs.

Not only do tracking-based ads fail to convince us to do a damn thing 99.xx+% of the time, but we’re also not buying something most of the time as well.

As incentive alignments go, adtech’s failure to serve the actual interests of its targets verges on absolute. (It’s no coincidence that more than a year ago, up to 1.7 billion people were already blocking ads online.)

And hell, what they do also isn’t really advertising, even though it’s called that. It’s direct marketing, which gives us junk mail and is the model for spam. (For more on this, see Separating Advertising’s Wheat and Chaff.)

Privacy is personal. That means privacy is an effect of personal agency, projected by personal tech and by personal expressions of intent that others can respect without working at it. We have that in the offline world. We can have it in the online world too.

Privacy is not something given to us by companies or governments, no matter how well they do Privacy by Design or craft their privacy policies. Top-down privacy simply can’t work.

In the physical world we got privacy tech and norms before we got privacy law. In the networked world we got the law first. That’s why the GDPR has caused so much confusion. Good and helpful though it may be, it is the regulatory cart in front of the technology horse. In the absence of privacy tech, we also failed to get the norms that would normally and naturally guide lawmaking.

So let’s get the tech horse back in front of the lawmaking cart. If we don’t do that first, adtech will stay in control. And we know how that movie goes, because it’s a horror show and we’re living in it now.

 

© 2026 ProjectVRM

Theme by Anders NorenUp ↑