[Plura-list] Privacy Without Monopoly, EU edition

Cory Doctorow doctorow at craphound.com
Fri Jun 11 12:54:01 EDT 2021

Today's links

* Privacy Without Monopoly, EU edition: The GDPR forbids competition in
human rights abuses.

* This day in history: 2001, 2006, 2011, 2016, 2020

* Colophon: Recent publications, upcoming/recent appearances, current
writing projects, current reading


🌍 Privacy Without Monopoly, EU edition

Tech monopoly apologists insist that there's something exceptional about
tech that makes it so concentrated: "network effects" (when a product
gets better because more people use it, like a social media service).

They're wrong.

Tech is concentrated because the Big Tech companies buy up or crush
their nascent competitors - think of Facebook's predatory acquisition of
Instagram, which Zuckerberg admitted (in writing!) was driven by a
desire to recapture the users who were leaving FB in droves.

Google's scale is driven by acquisitions - Search and Gmail are Google's
only successful in-house products. Everything else, from Android to
Youtube to their entire ad-tech stack, was once a standalone business
that Google captured.

Monopolies extract monopoly rents - like those delivered by Googbook's
crooked ad-tech marketplaces, or Apple/Google's 30% app shakedown - and
use them to maintain their monopolies. Google gives Apple billions every
year so it will be the default Ios and Safari search.

These are the same tactics that every monopolist uses - high-stakes
moneyball that creates a "kill-zone" around the monopolist's line of
business that only a fool would try to enter. Tech DOES have network
effects, but that's not what's behind tech monopolies.

We see monopolies in industries from bookselling to eyeglasses,
accounting to cheerleading uniforms, pro wrestling to energy, beer to
health insurance. These monopolies all follow Big Tech's template of
mobilizing monopoly rents to buy or crush all competition.

The differences between the anticompetitive tactics that monopolized
these industries are largely cosmetic - swap out a few details and you
might well be describing how John D Rockefeller and Standard Oil
monopolized the oil markets in the late 19th and early 20th centuries.

Big Tech *does* have network effects, but these are actually a tool that
can be used to *dismantle* monopolies, as well as maintaining them.
Network effects are double-edged swords: if a service gets more valuable
as users join, it also gets *less* valuable as users *leave*.

If you want to understand the anticompetitive structure of the tech
industry, you'd be better off analyzing *switching costs*, not network
effects. Switching costs are the things you have to give up when you
leave a service behind.

If your customers, community, family members or annotated photos and
other memories are locked up in Facebook's walled garden (or if you've
got money sunk in proprietary media or apps on Apple's, etc), then the
switching cost is losing access to all of that.

Here's where tech really *is* different: tech has intrinsically low
switching costs. Latent in all digital technology is the capacity to
interoperate, to plug a new service into an old one, to run an old app
inside a simulator ("runtime").

There's no good *technical* reason you can't leave Facebook but take
your treasured photos with you - and continue to exchange messages with
the people you left behind.

True, Facebook has gone to extraordinary lengths to keep its switching
costs high, deploying technical countermeasures to block
interoperability. But these aren't particularly effective. Lots of
people have figured out how to reverse-engineer FB and plug new things
into it.

Power Ventures created an app that aggregated your FB feed with feeds
from rival services, giving you a single dashboard. NYU's Ad Observer
scraps the political ads FB shows you for analysis to check whether FB
is enforcing its own paid political disinformation rules.

And there's a whole constellation of third-party Whatsapp clients that
add features FB has decided Whatsapp users don't deserve, like the
ability to block read-receipts or run multiple accounts on the same device.


Most of these are technical successes, but they're often legal failures.
FB has used the monopoly rents it extracted to secure radical new laws
and new interpretations of existing laws to make these tactics illegal.

Power Ventures was sued into oblivion. Ad Observer is fighting for its
life. The Whatsapp mods are still going strong, but that may be down to
the jurisdictions where they thrive - sub-Saharan Africa - where FB has
less legal muscle.

With low switching costs, much of FB's monopoly protection evaporates.
Lots of people hate FB, and FB knows it. You're on FB because your
friends are there. Your friends are there because *you're* there. You've
taken each other hostage, and FB benefits.

With low switching costs, you could leave FB - but not your friends. The
kill zone disappears. All we need is interoperability.

Enter the EU's Digital Services Act and Digital Markets Act, proposed
regulations to force interop on the biggest Big Tech players.

The EU has recognized that mandating interop can reduce switching costs,
and reducing switching costs can weaken monopoly power.

Some critics (like me!) of the EU proposals say they don't go far
enough, asking for "full interop" for rival services.

Against these calls for broader interop come warnings about the privacy
implications of forcing FB to open up its servers to rivals. It's hard
enough to keep FB from abusing its users' privacy, how will we keep
track of a constellation of services that can access user data?

Last Feb, Bennett Cyphers and I published "Privacy Without Monopoly,"
for EFF, describing how interoperability can enhance privacy.

Interop means that users can choose services that have better privacy
policies than Facebook or other incumbent platforms.


But in theory, it means that users could choose *worse* services -
services that have worse privacy policies, services that might be able
to grab your friends' data along with your own (say, the pictures you
took of them and brought with you, or their private messages to you).

That's why, in our paper, we say that interop mandates have to be
backstopped by privacy rules - democratically accountable rules from
lawmakers or regulators, not self-serving "privacy" limitations set by
the Big Tech companies themselves.

For example, Facebook aggressively imports your address books when you
sign up, to connect you to the people you know (this isn't always a good
experience - say, if your stalker has you in their address book and
automatically gets "friended" with you).

If you try to take your address book with you when you quit, FB claims
your contact list isn't "yours" - it belongs to your contacts. To
protect their privacy, FB has to block you from exporting the data -
making it it much harder to establish social ties on a new service.

It's not obvious who that contact info "belongs to" (if "belong to" is
even the right way to talk about private information that implicates
multiple people!).

But what *is* obvious is that Facebook can't be trusted to make that call.

Not only has Facebook repeatedly disqualified itself from being trusted
to defend its users' privacy, but it also has a hopeless conflict of
interest, because privacy claims can be used to raise switching costs
and shore up its monopoly.

In our paper, Bennett and I say that these thorny questions should be
resolved democratically, not in a corporate boardroom.

Now, as it happens, there's a region where 500M people are protected by
a broad, democratically enacted privacy law: Europe, home of the GDPR.

Today, in a new appendix to "Privacy Without Monopoly," EFF has
published "The GDPR, Privacy and Monopoly," my analysis of how the GDPR
makes interoperability safer from a privacy perspective.


Working with EFF's Christoph Schmon and Bennett Cyphers, and outside
experts from other NGOs, we develop a detailed analysis of the GDPR, and
describe how the GDPR provides a lawful framework for resolving thorny
questions about consent and blended title to data.

The GDPR itself seeks to promote interoperability; it's right there in
Recital 68: "data controllers should be encouraged to develop
interoperable formats that enable data portability." But loopholes in
the rules have allowed dominant companies to stymie interop.

For years, Europeans have had the "right" to port their data, but
nowhere to port that data to. The DMA closes the loopholes and
dismantles the hurdles that kept switching costs high.

The GDPR's consent/security/minimization framework sets out the
parameters for any interoperability, meaning we don't have to trust
Facebook (or Google, or Amazon, or Apple) to decide when interop must be
blocked "to defend users' privacy" (and also shareholders' profits).

Big Tech platforms already have consent mechanisms (and must continue to
build them) to create the legal basis for processing user data. An
interoperable FB could be a consent conduit, letting your friends decide
when and whether you can take their data to a new service.

And the GDPR (not a tech executive) also determines when a new service
meets the privacy standards needed for interop. It governs how that new
service must handle user data, and it gives users a way to punish
companies that break the rules.

Today, if you leave Facebook, your friends might not even notice. But in
a world where FB is a consent conduit to manage your departure and
resettlement, all your friends get signals about your departure -
perhaps prompting them to consider whether they should go, too.

Far from prohibiting interop, the GDPR enables it, by creating an
explicit privacy framework that is consistent across all services, both
the old monopolies and the new co-ops, startups, public utilities, and
other alternatives that interop would make possible.

Monopolies distort the world in two ways. The most obvious harm is to
competition, choking out or buying out every alternative, so you have to
live by whatever rules the monopolist sets.

But the other kind of harm is even worse: monopolists can use their
political power to get away with terrible abuses.

Ad-tech concentration produced monopoly rents that blocked or weakened
privacy law for decades, allowing for a grotesque degree of commercial

We don't want competition in surveillance.

Opening space for interop poses a legitimate risk of creating a contest
to see who can violate your human rights most efficiently.


Yet, it's obvious that monopolists themselves shouldn't get to decide
where they should be subjected to competition and where they should be
subjected to regulation. That's a job for democratic institutions, not
autocratic board-rooms.

Adding privacy regulation (strong privacy regulation, with a private
right of action allowing users to sue companies for breaking the rules)
to interop is how we resolve this conundrum, how we make sure we're
banning surveillance, rather than "democratizing" it.


🌍 This day in history

#20yrsago Embarassing gaffe in Microsoft’s anti-Linux campaign

#15yrsago Inside China’s iPod sweat-shops

#10yrsago Walt Disney’s 1956 time-capsule letter to the future

#10yrsago Terry Pratchett initiates assisted suicide process

#5yrsago It’s getting harder and harder to use gag clauses to silence
laid off workers in America

#1yrago Interoperability and privacy

#1yrago Tesla modder selling discounted upgrades


🌍 Colophon

Today's top sources:

Currently writing:

* Spill, a Little Brother short story about pipeline protests.
Yesterday's progress: 253 words (5218 words total).

* A Little Brother short story about remote invigilation.  PLANNING

* A nonfiction book about excessive buyer-power in the arts, co-written
with Rebecca Giblin, "The Shakedown."  FINAL EDITS

* A post-GND utopian novel, "The Lost Cause."  FINISHED

* A cyberpunk noir thriller novel, "Red Team Blues."  FINISHED

Currently reading: Analogia by George Dyson.

Latest podcast: How To Destroy Surveillance Capitalism (Part 06)

Upcoming appearances:

Recent appearances:

* Darts and Lasers podcast:

* Nicole Sandler Show:

* Fireside Chat with Beatriz Busaniche (Rightscon)

Latest book:

* "Attack Surface": The third Little Brother novel, a standalone
technothriller for adults. The *Washington Post* called it "a political
cyberthriller, vigorous, bold and savvy about the limits of revolution
and resistance." Order signed, personalized copies from Dark Delicacies

* "How to Destroy Surveillance Capitalism": an anti-monopoly pamphlet
analyzing the true harms of surveillance capitalism and proposing a
(print edition:
(signed copies:

* "Little Brother/Homeland": A reissue omnibus edition with a new
introduction by Edward Snowden:
https://us.macmillan.com/books/9781250774583; personalized/signed copies

* "Poesy the Monster Slayer" a picture book about monsters, bedtime,
gender, and kicking ass. Order here:
https://us.macmillan.com/books/9781626723627. Get a personalized, signed
copy here:

Upcoming books:

* The Shakedown, with Rebecca Giblin, nonfiction/business/politics,
Beacon Press 2022

This work licensed under a Creative Commons Attribution 4.0 license.
That means you can use it any way you like, including commercially,
provided that you attribute it to me, Cory Doctorow, and include a link
to pluralistic.net.


Quotations and images are not included in this license; they are
included either under a limitation or exception to copyright, or on the
basis of a separate license. Please exercise caution.


🌍 How to get Pluralistic:

Blog (no ads, tracking, or data-collection):


Newsletter (no ads, tracking, or data-collection):


Mastodon (no ads, tracking, or data-collection):


Medium (no ads, paywalled):


(Latest Medium column: "The Rent’s Too Damned High," about the long con
of convincing Americans that they will grow prosperous through housing
wealth, not labor rights

Twitter (mass-scale, unrestricted, third-party surveillance and


Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):


"*When life gives you SARS, you make sarsaparilla*" -Joey "Accordion
Guy" DeVilla

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://mail.flarn.com/pipermail/plura-list/attachments/20210611/70a55a80/attachment.sig>

More information about the Plura-list mailing list