Privacy: one step forward, one step back.

A quick hit here to memorialise two privacy-related bits of news: a German court bans Facebook from tracking you elsewhere, but US Republicans try – again – to ban encryption that actually works.

Like many people, I barely use Facebook. And when I do, I only do so when using Incognito (Chrome) or Private Browsing (Safari). It’s annoying logging in each time (albeit less so with 1Password). But it stops Facebook from doing something I viscerally loathe: tracking everything else I do, everywhere else, thanks to tracking code and cookies.

I get that this may make me a paranoid tin-hat type. I’m OK with that. Just like I’m OK with blocking ads which rely on adtech, preventing videos from auto-playing, and generally trying to stop a simple text website from downloading an extra double-digit MB load of data so they can show me ads so intrusive that I never want to go back to the site in question. (I’m fine with ads. I like free stuff, paid for by advertising. But adtech-delivered ads are essentially a conman’s dream. And from a data protection/privacy perspective, I have grave doubts about whether adtech is lawful. So I’m very happy to screw with it.)

Which makes a German court’s decision to reinstate a ruling banning Facebook from combining its own data with that from other sites into so-called “super-profiles” very interesting. The ban was at the behest of Germany’s Cartel Office, and the judge’s ruling (press release in German here) said there wasn’t any serious doubt over whether Facebook was (a) dominant and (b) had abused that position – particularly by getting information from non-Facebook sources.

The ruling only applies to Germany, of course. But this does seem to be the first time that cross-site tracking and data collection has been seriously set back. Which may make things slightly hotter for adtech’s widespread consent-less collection of personal data, legally speaking – although the dominance question doesn’t necessarily arise, of course, the ruling nonetheless explicitly addresses, in resolutely negative terms, what Techcrunch calls “track-and-target” and what writers like Shoshana Zuboff and many others call surveillance capitalism. It does so by noting that a significant number of Facebook users would prefer not to be tracked and targeted, and a properly-functioning market would allow them that option. It’s hard to see how the same can’t be said for adtech in general.


Less encouraging, and far more predictable, is US Senate Republicans’ move to introduce legislation (the LEAD Act – seriously, these acronyms…) to “end the use of warrant-proof encrypted technology by terrorists and other bad actors“. As almost any even slightly encryption-savvy person will know, this translates to “making encryption stop working securely”. Simply put, if – as this legislation would appear to require – a service provider keeps a key to your comms so it can give it to law enforcement, then end-to-end encryption is done and your comms aren’t secure any more. As Ars Technica puts it, “Encryption doesn’t work that way.” Anyone claiming it does is either ignorant or acting in bad faith. No real middle ground there.

John Gruber points out that describing the bill as “a balanced solution” as its proponents do because the key would only be handed over with a court order is hogwash. If a key exists, it becomes a target. “That’s how the law works today,” he writes. “What these fools are proposing is to make it illegal to build systems where even the company providing the service doesn’t hold the keys.”

Fools seems like a generous description. It presupposes good faith. I’m not sure I’d go that far.