If Apple is the only organisation capable of defending our privacy, it really is time to worry

A man leaves an Apple store in Beijing.
Apple’s efforts to prevent apps from secretly shadowing people have caused a furore in the tech industry. Photograph: Andy Wong/AP

A giant private company is doing the work governments should be doing on regulation of user data. That’s not a good thing

A few weeks ago, Apple dropped its long-promised bombshell on the data-tracking industry. The latest version (14.5) of iOS – the operating system of the iPhone – included a provision that required app users explicitly to confirm that they wished to be tracked across the internet in their online activities. At the heart of the switch is a code known as “the identifier for advertisers” or IDFA. It turns out that every iPhone comes with one of these identifiers, the object of which is to provide hucksters with aggregate data about the user’s interests. For years, iPhone users had had the option to switch it off by digging into the privacy settings of their devices, but, because they’re human, very few had bothered to do that.

From 14.5 onwards, however, they couldn’t avoid making a decision and you didn’t have to be a Nobel laureate to guess that most iPhone users would opt out. Which explains why those who profit from the data-tracking racket had for months been going apeshit about Apple’s perfidy. Some of the defensive PR mounted on their behalf, for example Facebook’s weeping about the impact on small, defenceless businesses, defied parody. Other counteroffensives included attacks on Apple’s monopolistic control over its App store and charges of rank hypocrisy – that changes in version 14.5 were not motivated by Apple’s concerns for users’ privacy but by its own plans to enter the advertising business. And so on.

It will be a while until we know for sure whether the apocalyptic fears of the data-trackers were accurate. It takes time for most iPhone users to install operating system updates and so these are still relatively early days. But the first figures are promising. One data analytics company, for example, has found that in the early weeks the daily opt-out rate for American users has been about 94%. This is much higher than surveys conducted in the run-up to the change had suggested – one had estimated an opt-out rate closer to 60%.

If the opt-out rate is as high as we’ve seen so far, then it’s bad news for the data-tracking racket, which the Financial Times estimates to be a $350bn industry, and good news for humanity.

The computerised, high-speed auction system in which online ads are traded seems not to be compatible with the law – and is currently unregulated. That is the conclusion of a remarkable recent investigation by two legal scholars, Michael Veale and Frederik Zuiderveen Borgesius, who set out to examine whether this “real-time bidding” (RTB) system conforms to European data-protection law. They asked whether RTB complies with three rules of the European GDPR (General Data Protection Regulation) – the requirement for a legal basis, transparency and security. They showed that for each of the requirements, most RTB practices do not comply. “Indeed,” they wrote, “it seems close to impossible to make RTB comply.” So, they concluded, it needs to be regulated.

An online system has been running wild for years, generating billions in profits for its participants

It does. Often the problem with tech regulation is that our legal systems need to be overhauled to deal with digital technology. But the irony in this particular case is that there’s no need for such an overhaul: Europe already has the law in place. It’s the GDPR, which is part of the legal code of every EU country and has provision for swingeing punishments for infringers. The problem is that it’s not being effectively enforced.

Why not? The answer is that the EU delegates regulatory power to the relevant institutions – in this case data protection authorities – of its member states. And these local outfits are overwhelmed by the scale of the task and are lamentably under-resourced for it. Half of Europe’s DPAs have only five technical experts or fewer. And the Irish data protection authority, on whose patch most of the tech giants have their European HQs, has the heaviest enforcement workload in Europe and is clearly swamped.

So here’s where we are: an online system has been running wild for years, generating billions in profits for its participants. We have evidence of its illegitimacy and a powerful law on the statute book that in principle could bring it under control, but which we appear unable to enforce. And the only body that has, to date, been able to exert real control over the aforementioned racket is… a giant private company that itself is subject to serious concerns about its monopolistic behaviour. And the question for today: where is democracy in all this? You only have to ask to know the answer.

All Rights Reserved for John Naughton 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.