(as of fall 2021)
This post is my personal take, at a high level, of how data privacy is proceeding in the US as of fall 2021 — and because I’ve lived through much of what I discuss here, it is highly biased by my personal perspective. Nonetheless, I hope it will be of interest to those who are wondering what all this noise is about “data privacy”, why it’s a real thing, and why it matters…and especially if you are as concerned and upset as I am about how Facebook and the rest of social media has been pushing our real world in the wrong direction.
Because it doesn’t have to be this way. I think if more concerned citizens were aware of how the Internet has been hijacked, in a sense, and how we can get it back on a path that supports and fosters good citizenship, they would help build political support to do that. To me, that is why data privacy matters: it could become a pathway to a better Internet.
So what I have attempted to provide here is some historical context behind current events in data privacy legislation, as well as insights as to where such legislation may be headed; but this is not some wonky political analysis. Real history involves real people, and tells a good story. I use historical highlights from the early development of the Internet to help illustrate how this important topic has evolved in the United States — which I hope helps to connect a few of the dots leading to how we got to where we are today, and where we need to go.
Ground zero: the origins of the GDPR, the Internet
and the browser wars
For Americans who are unaware, the GDPR, or General Data Protection Regulation, is the major reason why data privacy has become a legal issue, at all. Why? Read on…but the GDPR, and the subsequent California Consumer Protection Act (discussed below), is why you started seeing all those little popup windows asking you to accept cookies appearing on the websites you were visiting around the start of 2020.
Regulation around data privacy has been a fact in the European Union since the GDPR was passed in 2016, and took effect in 2018; see its wikipedia article for a quick overview. However, I doubt many Americans are aware that the discussion around data privacy had been actively going on in Europe for several decades; and that this was much more active than any such discussions in the US during the same period. While not a major news item, data privacy was being actively debated in a certain portion of civil society in the EU, which has a history of being more concerned about civil protections from corporate activity than in the US.
The history of the GDPR goes back to beginnings of the influence of computers on society back in the 1970’s; see this historical overview on “A brief history of the General Data Protection Regulation” at the IAPP. This discussion, largely internal to the parts of the EU government concerned with it, intensified in the 1990’s, as the commercialization of the Internet began to take hold, and its technological possibilities and social implications became more apparent.
In contrast, there was little discussion of the implications of the digitalization of people’s personal data in the US during those times. Although there had been growing use of bulletin board software among amateur enthusiasts in the US in the 1980s (including myself; I preferred TBBS, The Bread Board System), there was only slight discussion of this technology among the general public, and therefore little interest from corporate investors. Although technology companies had begun running their own bulletin boards for competitive reasons, they remained slow, cumbersome and difficult to scale. It was certainly not on the radar of Wall Street as an investment opportunity.
However, this perception began to change when the Internet exploded into public awareness in the early 1990’s with the release of the Mosaic browser in 1992. While agonizingly slow (yes, I did use it), it allowed for the first time viewing of a few available webpages, such as the 1994 Olympic games, which I recall seeing in a professor’s office on the CU-Boulder campus at the time. This immediately captured the public’s attention, though the slow speed at which this first crude browser worked made it somewhat impractical for actual applications; so it remained more a technical amusement than a tool for actual work.
That was quickly corrected by good old US capitalism. Just as the TCP/IP protocol that made the foundation of the Internet possible had been developed by the government, due to DARPA contracts from the US Department of Defense starting back in the 1960’s, the Mosaic browser was due to the public sector as well: it was developed at the National Center for Supercomputing Applications (NCSA) at the University of Illinois at Urbana–Champaign. It was first created by graduate students, and did receive some funding, because this is the period when the nascent open source software movement was beginning. The existing and well developed non-browser based protocols such as FTP (File Transfer Protocol), and text-based email apps, like Pine and Elm, facilitated this collaboration. Two members of its programming team, Marc Andreessen and Eric Bina, saw the future, went out to Silicon Valley to seek some venture capital, came back and raided the graduate students in the NCSA office who wanted to make some money too, and took them out to California and created Netscape. Then the browser wars between Netscape and Microsoft took off, and the rest is history; but I digress…
The splash of attention caused by the Mosaic browser, which illustrated a new possible technology but did not result in any immediate industrial changes, has echos earlier in the twentieth century. The spread of radio in the 1920’s followed a similar pattern. At first, radios were just a technical novelty, purchased by ‘earlier adopter’ households among those who could afford it, and was quite limited. But once radios were priced at what most households could afford, it became obvious to the business community of the potential for this technology to expand markets for the sales of any type of product that could be mailed. Internet technology was no different, and it spread in the 1990’s as the technology around phone modems improved, and allowed more and more people to start using text-based email, bulletin boards (precursors to websites) and this new fangled thing called a web browser.
The Gold Rush Begins
From what I observed at the time, from the perspective as a graduate student in telecommunications in the mid-1990’s at CU-Boulder, there was a groundswell of blind exuberance in US civil society that likened the Internet to the opening a new frontier. By contrast, the discussion among European civil servants and intellectuals was more muted, cautious and realistic; they correctly perceived the risks involved with this new technology: the ability to commit fraud, create fake identities or endanger individuals’ privacy and physical safety. Although I was also caught up in the excitement of that moment — that this technology could create a kind of Star Trek-like ubiquitous public utility, free to the public, which would be some kind of social nirvana that could save the world — I felt a certain reservation. I could not articulate them at the time, but from inklings gained from my telecommunications education at CU-Boulder, I intuited that technology companies might brush aside the public potential of the Internet, and rush into it for the business opportunities alone.
And as things have worked out, that premonition has turned out to be all too true.
This became abundantly evident in the late 1990s during the ‘browser wars’, when Bill Gates and his lieutenants at Microsoft attempted to get a competitive edge (if not a de facto monopoly) for their web browser, the Internet Explorer — and to put Netscape permanently out of business. Though it may sound far fetched today, at the time Microsoft sought to dominate the Internet by making its browser the default selection on any new PC that was sold. Apple was still playing catchup to Microsoft’s market domination, though even then it was, and remains today, the preferred desktop by programmers. (The Linux platform was even further removed from the mainstream, and not a market contender in the 1990’s.) Due to their strongarm tactics with at the time, Microsoft forced the PC hardware manufacturers, which came with Windows installed, to make Internet Explorer the default browser, and thus have an edge over the adoption of Netscape Navigator, which required some technical effort by PC owners to download and install from another website.
This abuse of their monopoly power in the PC hardware market led to the infamous Microsoft anti-trust suit in 1999. I don’t use the word infamous lightly; because it was obvious to members of the IT community that Bill Gates and other Microsoft executives lied, deflected and evaded being honest in their answers in court — simply because few people at the time understood the technology. Their main line of defense was Internet Explorer, their web browser, was an “inherent part of the Windows operating system”, and therefore could not be separated from it; which, as any programmer or computer science professor knows, is a bald-faced lie.
Fortunately, the DOJ and District Court judges saw through this flimflam, and issued a judgement that Microsoft was a monopoly, and ordered it to be split up into two companies, one for the Windows operating system, and one for everything else (including their browser, Internet Explorer). Microsoft appealed, the case went to the Supreme Court, where Microsoft repeated its lie about its browser being part of its operating system. Here, Microsoft agreed to a settlement with the DOJ instead of awaiting a decision by the SCOTUS; ostensibly Microsoft lost this case, but it was still a strategic victory for Microsoft. Their punishment was a slap on the wrist, and the company’s monopoly position effectively remained in place.
In the end, all that was demonstrated by the Microsoft anti-trust suit was that they had a misguided corporate strategy, that the DOJ let them get away with it, and that no one understood where the Internet was headed — except that it would continue to grow. Effectively, the US judicial system gave a green light to corporate capitalism to do what it wanted with the Internet; which set the stage for the next phase of the evolution of the Internet in the US: the Dot Com boom and bust in the stock market.
Not much needs to said about this ridiculous period, except that it was a perfect example of market hucksterism run amuck, and that the government regulators who were ostensibly in charge with keeping such markets honest were basically asleep at the switch. (I was closely attuned to the unreality of this period, as I worked at a “dot com” startup from fall 1999 to fall 2000 in Boulder; ask me about details.) It was also yet another example of a Wall Street induced recession, which could have been prevented by more stringent requirements on investor capital thrown at the dot com companies issuing their IPO’s on the stock exchanges. However, there is this generally prevailing attitude in the US, particularly in Wall Street, of allowing such “irrational exuberance” to prevail, the phrase made famous by Alan Greenspan, then chair of the Federal Reserve, during testimony before Congress at the time about the overheated US stock markets.
In hindsight from 2021, I can see now that this naive enthusiasm about the potential of the Internet had strong similarities to the opening of the Western frontier in the late 1800’s. With the historical perspectives now available, the opening of the Western frontier depended heavily on developments such as: transcontinental railroad lines; multiple local hysterias over gold, silver or other metals; land speculation among politicians and the wealthy; and, of course, the genocide of the indigenous people wherever they got in the way — all of this was rampant throughout the West. Nonetheless, popular culture has romanticized this period in pictures, novels, movies, articles in popular media; but when the veneer of romantic notions about how the American West are peeled aside, it’s not a pretty picture. And although the romantic veneer is being slowly washed away by more realistic portrayals of the American West in popular media, books and arts in the current time, that stereotype was deeply entrenched for most of the 20th century — and was unquestioned by the consumer mindset of the majority of Americans. Those deep social archetypes carry their own momentum, biases and prejudices — which are certainly still with us today. And which certainly permeated the political perspectives in the US about this strange new technology called the Internet.
Truth be told, economic exploitation by the capitalists of the 19th century — whether in land, gold, railroads or other natural resources — was the predominant motivating factor that explains how the Western US was settled. I think what we are now experiencing in the 2020’s with how the internet has evolved is following a similar pattern — but with greater consequences for political outcomes.
Can we do better than an historical pattern of exploitation?
How history repeats itself: this leitmotif of economic exploitation of the American West seems appropriate in evaluating how the Internet has developed — and the limits of allowing unfettered market activity to takes its course. This seems especially pertinent when we examine how data privacy has been treated during the recent evolution of the Internet.
Any discussion of individual rights on the Internet was very much an afterthought in the US, and was not part of the discussion as it was in Europe, prior to the Internet’s rise to its current domination of our society. What is glaringly obvious in hindsight is that the development of the Internet in the US, once it was commercialized. It bears recalling that commercial activity was strictly banned on the early versions of the text-based Internet. Because the early development had been completely underwritten by the federal government via DARPA, no commercial activity was allowed on the text-based networks that were the direct precursors of the Internet we know today; the protocols that transfer the information are the same. The only difference today is how that information is presented in our browsers.
Once the technical potential of the TCP/IP protocol was proven around 1991, the NSF (National Science Foundation) began the process of commercializing the Internet. However, this transfer of technology from the government sector to the private sector was done without any awareness of the social and political implications involved. There was an implicit belief in the ability of “market forces” to determine how best to use this new technology — and little foresight about the societal impacts.
Consequently, what happened with the early Internet was the marketing of goods for the private sector, with little thought or foresight about what could happen to individuals, or to society at large, or its other potential uses in public health and the environment — much less its potential effect on politics. Although there was lip service to promoting competition in the telecommunications markets, it was slow to develop, and even after twenty years, the only area where there is real competition is in mobile phone service; and even then, Americans are typically limited to choosing between two or three providers. 1
Exploring this theme of the implications of allowing the private sector to exploit economic opportunity without thinking ahead of the potential harms has a close parallel in the environmental history in the US — which is truly harrowing — and should serve as an example of why greater regulatory protection is needed. This is the story of environmental pollution in the post-WWII era, which went unchecked — and largely unnoticed — until Rachel Carson published Silent Spring in 1962. Consider the environmental disasters that have occurred just in my generation: the embracing of DDT in the 1950s, then banned in 1972; Love Canal in 1977, that caused multiple deaths, sicknesses, miscarriages and birth defects before getting cleaned up; which resulted in passage of the Superfund Act 1980, an attempt to address the 1,344 sites that are known to still need cleaning up but is chronically underfunded; then, in 2010 the Deepwater Horizon oil spill…I could go on and on, but I think I make my point: government in the US at all levels are slow to act on social and environmental harm until the damage is horrifyingly obvious. From all current indicators, the same thing appears to be happening with the Internet, disinformation and data privacy rights.
Are we going to learn something from history here, or not? We need to step up to doing something preemptive in the realm of guiding the development of the Internet, the greatest information system ever devised by mankind, with huge potential for enhancing education, science, health and environmental protection. Or are we going to continue to allow great social harm to develop because of the lack of foresight? We already have a taste of what kind of harm can develop in dealing with the aftereffects of the January 6 attack on the US Capitol, which was a direct result of the targeted disinformation via platforms like Facebook.
Unfortunately, the federal government’s first steps in data privacy were not to protect individual privacy, but rather to ensure that no one’s privacy should be hidden from the government (shocker!). Perhaps there are some lessons from history here? Let’s take a look…
The US Government’s first reaction to digital rights: No privacy for you!
What the US government was concerned about in the 1990’s was not the privacy rights of individuals but rather the ability of the government to intercept and decipher any electronic communication.
When Phil Zimmerman published his software tool, Pretty Good Privacy (PGP), on the Internet in 1991 as an open source encryption tool, it landed like a bomb in the public media. In effect, the tool would allow anyone with the appropriate software skills to encrypt their texts, emails and hard disks with a high level of security. How high? Well, it’s how Edward Snowden encrypted his email messages to prevent the NSA from reading them; and Mr. Snowden is still at large in Russia. I’d say PGP is pretty secure encryption; however, the practical impact was limited to those with the technical skills to use it.
This resulted in a multi-year investigation of Mr. Zimmerman by the US Justice Department until it dropped its case in 1996. I recall going to hear Mr. Zimmerman speak at a public function in Aspen in 1995, when the outcry over his prosecution was at its height. As a professional programmer myself, the injustice and unreasonableness of it all was blatantly obvious, as was the lack of credibility of the government in its assertions about why they needed to control data encryption — an impossible task, since the genie was already out of the bottle. Punishing individuals like Mr. Zimmerman was not just bad policy; it made the US DOJ look like fools to the rest of the technical community, and brought hardship and stress to Zimmerman and those around him. It was a good decision that the US DOJ decided to drop its case in 1996.
The Dot Com Interlude: another Wall Street bubble…and bust
The Dot Com period, roughly 1995 to 2002, was a prime example of the American habit of confusing economic exploitation with actual economic development. This results in a waste of resources that is inefficient and destructive, due to a lack of recognition of the public good aspect of the Internet commons. By assuming that a private market approach will solve the problem, we are only prolonging the day of reckoning when we will need to bite that bullet, and admit that the Internet is a commons that needs protection. So where did the US evolution of the Internet go wrong, and what might we learn from it?
Once the commercialization of the Internet got rolling in the US in the late 1990’s, it did not take long before Wall Street speculators got involved. Concisely described in the Wikipedia article on the dot-come bubble of 1997-2003, it goes without saying that this was all about economic exploitation, and getting rich quick by companies rushing to get IPO done before the bubble burst. What made this Wall Street bubble different from previous ones was unknown quality of Internet technology. This new center of the speculation was about a technology that did not fit in well with other regulated industries. The Federal Communication Commission (FCC) regulated the technology but had no mandate to oversee investments in it. The Securities and Exchange Commission (SEC) kept watch over fraud in the financial markets but had no expertise in understanding telecommunication networks, much less how website commerce worked, or if the dubious claims in their IPOs had merit.
As such, there was no coordinated regulatory response to check the frenzied speculation in companies whose primary assets were specious ideas about their websites and investor enthusiasm. However, the bubble eventually collapsed in on itself by early 2000, as the dot com’s ran out of cash, and their stratospheric stock prices came crashing back to Earth by 2002.
It should be noted that the dot com bubble got a real boost from the permissive financial regulatory environment at the time, headed by then Fed Chairman Alan Greenspan. During his long reign at the head of the Fed after getting appointed by Reagan in 1987, his opaque public remarks about economic conditions and Fed policy earned him renown as being inscrutable but respected. He never once wavered from the “free market” ideology that dominated the Republican Party, but who later recanted before Congress that his market ideology was sadly mistaken, though only after the 2008 financial panic nearly brought down the global economy. This was yet another example of how the US allows a pattern of massive exploitation before taking any preventive actions.
The financial regulatory authorities may have learned some lessons from those lessons of history; but what has the US government learned about the need to regulate the Internet? The post-9/11 period has some lessons on that score.
Privacy rights? What privacy rights?
The government stance towards private online data and, more particularly, live communications, took a sudden turn for the worse after September 11, 2001. With the passage of the Patriot Act, barely over a month after the fateful attack, the National Security Agency (NSA) charged into action — and apparently simply started recording everything it could, and building its own software tools to analyze it. Beneath this turbulent period of US invasions of first Afghanistan and then Iraq, with the CIA pursuing terrorists around the world, legally and illegally, was the ramping up of cyberwarfare capabilities and hypersurveillance of the Internet by the NSA, working in conjunction with the United Kingdom. None of this would likely have come to light were it not for the revelations shared by Edward Snowden in 2013. After he contacted a couple of journalists in Hong Kong in 2013, and then shared thousands of classified documents from his work at the NSA, a global spotlight was suddenly shown on just how flagrantly the NSA had invaded everyone’s privacy, from phone calls to emails, to allow the NSA full access to their networks. Though it was focused primarily on the US, since most of the Internet backbone traffic flowed through the US, it was a de facto Internet-wide access.
With its sweeping actions, the NSA made clear it never considered that anyone had a right to individual privacy when it came to their work; but Edward Snowden certainly did. Not only the privacy of individuals, he was concerned that the very institutions of democracies around the world were threatened by the actions of the NSA and other security agencies. The threat of an authoritarian government misusing such power was an obvious possibility — which has certainly turned out to be the case in modern day China. The explosive information that Snowden shared has resulted in a large, organized backlash against these actions of the NSA and other agencies, with the more blatant bulk collection of data being questioned. This saga is far from over, with Edward Snowden still needing to live in Russia to prevent being criminally charged by a hostile US government, and the programs of the NSA, apparently, still ongoing under a cloak of classified secrecy.
Which brings us up to the present…and a growing awareness that perhaps people should be able to control their personal data.
Privacy rights reform in the US: it takes a debacle
As has been the pattern with much of American history, it is not until there is a real crisis that the political will develops to craft legislation that deals with it — particularly if it originates in the private sector. Let’s call it the American Way. That was how the American West was settled, how many of our natural resources have been “developed”, and now, how the US is handling legislation around privacy rights; and much of the impetus has grown out of the chaos inspired by disinformation spread via the Internet and social media. How did this come about?
Historically, the origins of the Internet evolved out of an academic environment where there were high levels of trust, sharing and cooperation; this is well documented in Where Wizards Stay Up Late by Katie Hafner. Little thought was given to cybersecurity threats or how data privacy might be abused. As the motto of the Internet Engineering Task Force showed, the emphasis was on “Rough consensus and running code.” This same spirit of openness, optimism and trust was how Google (in 1998) and Facebook (in 2004) were initially received.
Although a good deal of legislation has addressed our physical privacy and how personal information should be handled (see this excellent History of Privacy Timeline from the University of Michigan), there was actually no law governing how personally identifiable information (PII) should be handled by companies as the Internet became commercialized during this period. And it took a while for Google and Facebook, the real pioneers in this area, to figure out how to do it, but the evidence eventually began to trickle out how Google and Facebook were tracking its users’ every click, and analyzing this data to figure out how to place ads that directly marketed to individual users — a previously impossible advertising mechanism, but which could justifiably be called the Holy Grail of the advertising industry. This was the beginning of what has come to be known as ‘ad tech’, or technology used for digital marketing that is entirely automated, invisible to the user, but entirely visible to the companies collecting and sharing the data — and completely unregulated, other than standard contract law about truth in advertising and outright fraud.
Unfortunately, much of this social media software architecture also had rather porous security standards. All of the custom software around adtech software was oriented towards making money off of advertising; and just as online security for the Internet overall was only addressed as an afterthought, making their own adtech tools secure from abuse was not part of its design — which Facebook found out the hard way. When the Cambridge Analytica scandal blew up in their face in 2018 due to a whistleblower, Facebook had a full scale public relations disaster on its hands; it was the most explosive data breach in the short history of data privacy. Edward Snowden’s leaking of NSA documents in 2013, while greater in volume and scope as a data breach, was confined to surveillance by the government; the Cambridge Analytica scandal exposed how the data involved had been used to influence a presidential election. Examining this story in more detail is instructive for lessons for data privacy.
By 2014, Facebook had amassed over 1 billion users, the first social media company to do so. 2 Despite being highly profitable and having the funds to do so, internal data security was not a priority for the company; their motto, “Move fast and break things”, proudly proclaimed by Zuckerberg himself, gives an idea as to where their priorities lay. Accordingly, when a few small abuses of customers’ data had popped up now and then, there did not seem any great cause for alarm.
However, what the Facebook management was not aware of was that a sophisticated and determined company in England, headed by a few technical experts who suspected there was political gold that could be sifted from the data contained in Facebook profiles — if only they could lay their hands on it. So from 2013 to 2015, the company, Cambridge Analytica, quietly probed and prodded and downloaded the personal Facebook data on at least 87 million users. By building psychological profiles from the data, the company was able to design political advertising campaigns to appeal to those profiles, which the company proceeded to surreptitiously market to political parties that might be interested. Due to the shadowy connections that the company’s management had with conservative politicians, military and other political operatives (the management background of the company was as a military contractor in the UK), the company’s clients tended to be conservative or even dictatorial regimes, in about a dozen countries around the globe. All of these provided experience, credibility and proven strategies when Cambridge Analytica (CA) approached Republican candidates in the US in 2015 during the runup to the 2016 election.
And by the way, Cambridge Analytica was funded by Steve Bannon and Robert Mercer at the time, who were hell bent on creating an insurgency in the U.S. (why they wanted to do this, of course, is a matter that only their own twisted minds, or perhaps their psychologists, can answer.) That is another story, of course, which is not part of this article about data privacy; but Steve Bannon’s story is still playing out, since as of November 2021 he is being supoenaed to testify regarding the January 6 riot. The full story of Cambridge Analytica is told in great detail by Christopher Wylie, one of the key programmers at Cambridge Analytica since 2013, but who decided to become the whistle blower who exposed them in March 2018. 5
And so it happened that the Trump and Ted Cruz campaigns began to intensively apply the CA tool in its own social media campaigns, identifying and targeting individual Facebook users, right under Facebook’s nose — because that’s how adtech works: it is focused on money alone, with few scruples about who it comes from or why. That would not come to light until the CA scandal exploded in March 2018. Once it broke in major media newstreams everywhere, it required the full attention of Zuckerberg and the upper management of his company. Zuckerberg was summoned to testify before Congress on quite a hot seat. Explaining how one of the foremost technical companies in the world allowed a data breach of 87 million of its users to be stolen, in effect in broad daylight, really had no explanation; Facebook had been duped at their own game.
Essentially, Facebook had no explanation, and was subsequently fined $5 billion by the Federal Trade Commission, then paid a £500,000 fine (approximately $650,000 in 2019) to the UK Information Commissioner’s Office — which hardly dented Facebook’s balance sheet that year. Facebook rolled on, despite the fines and negative publicity; but Cambridge Analytica was finished. They had been caught red-handed in violating their service agreement with Facebook, and filed for bankruptcy within two months. Though they are no more, they did plenty of political damage before their demise; and, unfortunately, proved the power of intentional disinformation on the platform. The post-mortem of the company, based on documents released after their insolvency, showed they has been involved in over 200 elections in 68 countries around the world, including influencing the election of the notorious Rodrigo Duterte in the Phillipines. One can only imagine how much bloodshed there might have been averted had Duterte not been elected.
Data privacy in the California surges ahead…after barely surviving a political gauntlet
Data privacy was hardly at the top of political agenda of any political party during the Trump era, despite the Cambridge Analytica scandal. Nonetheless, in more progressive states there has been some progress in data privacy reform, principally California. These reforms resulted out of growing concerns about how adtech has been enriching technology companies, or personal data being used unscrupulously. While technically unrelated, the increasing incidents of serious data breaches and the out of control ransomware attacks surely contributed to the growing unease among legislators and their constituents about how the Internet has evolved.
The experience of California is rather instructive, and seems a particularly American story of how a democratic effort started at the grassroots level, with the odds against it was nearly snuffed out by corporate interests, but triumphed in the end. Though well covered in the media at the time, it has quickly faded from view in the never-ending news cycle of global drama. I rather doubt most Americans realized its true significance at the time.
It all started at a dinner party…
Alistair Mactaggart, a wealthy and well established real estate developer in the Bay area, learned from one of his dinner guests (sometime in 2017, apparently), about what Google was doing with people’s personal data and online behavior. One of his guests was a Google engineer who was in a position to know what he was talking about: that Google, and the other tech giants, closely monitored their customers’ online activity and made wide use of that data. In fact, an entire market in the selling and reselling of this data — which tied online identities to real people and their online behavior — had mushroomed into a huge market, but was shrouded in secrecy, unless you participated in the shadowy world of adtech. It amounted to an online surveillance state — and deeply alarmed Mr. Mactaggart.
The analogy of this use of personal data to past exploitation of seemingly limitless natural resources was made by others writing on the topic: “To Silicon Valley, personal information had become a kind of limitless natural deposit…Like the oil barons before them, they had collected and refined that resource to build some of the most valuable companies in the world…” Other authors had a more sinister term for it: surveillance capitalism, according to Shosana Zubroff, a Harvard business school professor. 3
So, the adtech bonanza is quite analogous to the historical digressions about the economic development of the American West. The point is we should try to not repeat history here. But to continue with the story…
This new awareness set Mactaggart on a quest to do something about it, and, being a businessman, did so in an organized, tactical fashion. He had no experience in IT as a professional, but he certainly knew how to manage a project, set goals, and gather information. He hired a small staff to help him, started cold calling experts in the field, and got his ducks in a row, in other words. Based on this intensive research, he recruited some new advisers who identified with his concerns. With these newly discovered, experienced advisers (all two of them), they decided a statewide ballot measure put directly to the people of California would be the best way to accomplish two goals: educating the public on the issue of data privacy and getting a law on the books about it. They also hoped to thwart the Big Tech Silicon Valley lobbyists, whom they were sure would oppose this plan.
Quite by accident, Mactaggart had thrust himself into the middle of an intense struggle between the tech industry and the attention of many legislators across the US who were beginning to get interested in the issue. Silicon Valley lobbyists (read Google and Facebook) had successfully sabotaged an earlier attempt during the Obama administration to get a federal law passed about data privacy. 3 Mactaggart and his team were about to run into this same buzzsaw of political machinery — which quickly shaped into a David versus Goliath struggle in terms of political influence, clout and money in Sacramento, California’s capital. Because by this point in time, the lobbying efforts from Google and Facebook had become immense, which extended to capitals in influential states. They defeated the Obama effort to rein in the use of personal data; and they were more than ready to take on the effort by Mactaggart and his team.
Fortunately, Mactaggart’s team proved pretty savvy, and crafted a ballot measure that targeted the Achilles heel of adtech: the use of third parties in the processing of personal data, i.e. online advertisements. Rather than attempting a broad measure that challenged the tech companies directly, or trying to establish a nebulous concept of a “consumer right to data privacy” (as the GDPR had done), the measure focused on an existing business practice that had never existed before; but which, on the face of it, could appeal to voters’ common sense in calling out of how their personal data was being used. How would you feel if you knew your every click in your browser was being stashed in a corporate dossier, and being sold to the highest bidder to offer you ads, no matter where you went on the Internet? And that Facebook and Google had grown obscenely rich doing it? And that that these Facebook personal data dossiers had been illegally acquired by Cambridge Analytica to influence the 2016 presidential election? Not a pretty picture; so this creepy side of adtech is what Mactaggart’s team focused on.
There was little that the Silicon Valley industry could do to stop the ballot measure from being launched; but they certainly tried. Immediately after Mactaggart filed their measure with the secretary of state, they were contacted by Facebook and Google to discuss it. Other developments occurred suggesting the opposition was building against Mactaggart’s efforts, now known as the California Consumer Privacy Act (CCPA). Their canvassers had hit the streets, and had begun collecting signatures in January 2018. A new nonprofit suddenly appeared, the Committee To Protect California Jobs (CTPCJ) which was essentially a Super PAC to fund publicity efforts to dissuade the public against the CCPA. The stakes were clear: if their efforts succeeded, the CCPA would be on the November 2018 ballot as a statewide vote; this was viewed as a serious threat by the social media and telecom industry, and they immediately swung into political action — a game they well knew how to play.
The new nonprofit, the CTPCJ, was funded by Google, Facebook, Comcast, Versizon and AT&T. As Mactaggart put it, that was a wake-up moment for him and his team; “Welcome to the NFL,” as he put it. His small team was now up against some of the largest corporations in the world. The political pressure was building.
Then the Cambridge Analytica scandal hit in March 2018, which shook the political and social media landscape like an earthquake; it shifted everything. The canvassers for the CCPA suddenly found their job of getting people to sign their petition much easier; all they had to do was mention “data privacy” and people immediately signed. Score one for the Mactaggart team.
Zuckerberg was dragged into Congressional testimony in April 2018; Facebook appeared to be chastened. He essentially admitted, rather sheepishly, that they should probably be regulated. Since the Congress had no clear idea what to do, they let the FTC decide how to handle it; it slapped Facebook with a $5 billion fine, which it dutifully paid, as this hardly made a dent in their annual cash flow — and which essentially changed nothing. However, it did end Facebook’s political contributions to the CTPCJ.
Nonetheless, due to the fundamental change that the CCPA would make in the online world of adtech, and its sudden appearance on the online stage, there was not universal agreement among the progressive elements of the Internet political groups. Influential organizations, like the ACLU and the EFF (Electronic Frontier Foundation), came out against it, for various reasons. The rest of that spring and summer was a tense period for the team that created the CCPA ballot measure, as Big Tech lobbyists (AT&T, Google and Facebook, primarily) strategized to craft an alternative bill in the state legislature, and persuade Mactaggart to go along with that instead.
They did not succeed. Nothing they proposed had any real teeth in it about protecting peoples’ data privacy. While Mactaggart was initially willing to compromise, as time wore on, his team went through a string of proposals from the Big Tech lobbyists. Eventually, working with other legislators, a compromise was worked out — though there were some dicey back and forth maneuvering between the two sides. The Big Tech lobbyists attempted to shape the bill how they wanted, and avoid having that looming, potentially disastrous, state vote on the CCPA ballot measure in November — which at this point, looked like it would likely pass. To fight that, the tech industry would have to spend massively on a negative ad campaign, and make themselves look bad in the process: how can you be against data privacy for people?
In any event, as the bill came down to a vote in the state legislature, the Big Tech companies agreed not to fight it; and it passed by an unanimous vote in both chambers. It was a sweet victory for the Mactaggart team. But what happened next was even more remarkable: the California Privacy Rights Act (CPRA). Also known as Proposition 24, was a ballot measure — on purpose. Its wikipedia article gives a good summary of it (and shows which parts of the state supported it and which didn’t). This time, rather than just having the state legislators pass it, the CPRA was intentionally run as a ballot proposition to allow the people of California express their voice on this momentous matter; it passed by 55%, a positive and definitive, though not large, majority. This time around, the Mactaggart team had been bolstered by a formidable advisory board, that helped mount a full court press in the media campaigned in the runup to the election. Like the CCPA before it, this act focused strictly on the data collected about customers by large companies, and the sale or transfer of that data to third parties. It greatly expanded, strengthened and entrenched the CCPA law. Some remarkable aspects were that the law cannot be repealed by future state legislatures and it created a new agency to enforce it, the California Privacy Protection Agency.
That new agency is directly analogous to the Data Protection Authorities (DPA) required by the GDPR, and there is a DPA office in every EU member state. In a very real sense, California has led the US into the data privacy era. It seems only a matter of time before the country must pass federal legislation to address this pressing issue.
Waiting for the Devil at midnight at a crossroads: Data Privacy in the US in 2021
As 2021 draws to a close, data privacy in the US stands at a crossroads in a perilous time. Given the high pitch of discord and disinformation across the country, the increasing frequency of scandals from social media, and the glaringly obvious oversized influence that social media is having on politics, the message is becoming clear: federal legislation needs to address data privacy, the sooner the better; bills have been introduced since 2017, but to no effect. The experience in California serves as a powerful example of how such legislation should be crafted, and why.
By 2021, a handful of states have taken the lead in passing legislation that guarantees privacy rights. California, Colorado and Virginia have passed binding data privacy laws, with about a dozen other states considering them. The IAPP’s US State Privacy Legislation Tracker is a useful source to check the current status of state level privacy legislation, and their US Federal Privacy Legislation Tracker tracks bills being introduced in the US Congress. As the Federal Tracker at the IAPP shows, a number of bills have been introduced in both the House and the Senate, by both Democratic and Republican sponsors. The political polarization of the issue is readily apparent even from the titles of the bills. Call me biased, but the Republican bills seem off the mark; instead of protecting personal privacy, they are obsessed with side issues of whether vaccines should be required for international travel, or whether investors in financial markets can do so anonymously; really? They entirely miss the point: our democracy is at risk. The issue needs to be addressed head-on. The problem is clear: the misuse of personal data to target ads. Certainly there are other issues, but this is the most critical thing wrong with how the Internet is being used today.
As a recent op-ed in the New York Times made clear 4, the forces for democracy in the US are at crossroads: it is time for a democratic counter-revolutionary force to act that will essentially shut down the state of surveillance capitalism, expressed through strong, binding legislation, that is strictly enforced — because this is the only legitimate force in society that can correct the basic economic mechanism that is enabling Big Tech companies to continue operating. Although data privacy law has a higher and nobler aim — protecting the individual right to be left alone — it also has a more practical aim: to eviscerate the online advertising cash cow that has allowed Big Tech — principally Google and Facebook — to grow so large, so quickly, and to have such negative influences on society.