Commonplace

Some choice quotes:

People don’t want to run their own servers, and never will.

Experiments

I made a dApp called Autonomous Art that lets anyone mint a token for an NFT by making a visual contribution to it. The cost of making a visual contribution increases over time, and the funds a contributor pays to mint are distributed to all previous artists (visualizing this financial structure would resemble something similar to a pyramid shape).

I also made a dApp called First Derivative that allows you to create, discover, and exchange NFT derivatives which track an underlying NFT, similar to financial derivatives which track an underlying asset 😉.

Trust

So much work, energy, and time has gone into creating a trustless distributed consensus mechanism, but virtually all clients that wish to access it do so by simply trusting the outputs from these two companies without any further verification. It also doesn’t seem like the best privacy situation. Imagine if every time you interacted with a website in Chrome, your request first went to Google before being routed to the destination and back. That’s the situation with ethereum today. All write traffic is obviously already public on the blockchain, but these companies also have visibility into almost all read requests from almost all users in almost all dApps.

Partisans of the blockchain might say that it’s okay if these types of centralized platforms emerge, because the state itself is available on the blockchain, so if these platforms misbehave clients can simply move elsewhere. However, I would suggest that this is a very simplistic view of the dynamics that make platforms what they are.

Tokens

Instead of storing the data on-chain, NFTs instead contain a URL that points to the data. What surprised me about the standards was that there’s no hash commitment for the data located at the URL. Looking at many of the NFTs on popular marketplaces being sold for tens, hundreds, or millions of dollars, that URL often just points to some VPS running Apache somewhere. Anyone with access to that machine, anyone who buys that domain name in the future, or anyone who compromises that machine can change the image, title, description, etc for the NFT to whatever they’d like at any time (regardless of whether or not they “own” the token). There’s nothing in the NFT spec that tells you what the image “should” be, or even allows you to confirm whether something is the “correct” image.

Comparisons to email

Given those dynamics, I don’t think it should be a surprise that we’re already at a place where your crypto wallet’s view of your NFTs is OpenSea’s view of your NFTs. I don’t think we should be surprised that OpenSea isn’t a pure “view” that can be replaced, since it has been busy iterating the platform beyond what is possible strictly with the impossible/difficult to change standards.

I think this is very similar to the situation with email. I can run my own mail server, but it doesn’t functionally matter for privacy, censorship resistance, or control – because GMail is going to be on the other end of every email that I send or receive anyway. Once a distributed ecosystem centralizes around a platform for convenience, it becomes the worst of both worlds: centralized control, but still distributed enough to become mired in time.

If a GDPR case affects people in more than one EU nation, the regulator overseeing it must submit a draft decision to their counterparts in other countries. If other regulators raise objections to the penalty, they can trigger a dispute-resolution process, giving them more time to deliberate.

The Irish data-protection commissioner oversees Alphabet, Meta and other tech giants because those companies’ European headquarters are in Ireland. The Irish watchdog has faced criticism from activists and other European privacy regulators for the length of its investigations.

By choosing to fine Google and Facebook under the ePrivacy law, the French regulator avoided the frustrations of the GDPR’s power-sharing system

Just imagine if these fines were issued under GDPR for the maximum 4% of turnover: we might see a bit more compliance on the cookie front.

Perhaps France should be responsible for overseeing Meta, Google and other giants under GDPR as well…or perhaps it shouldn’t be the sole responsibility of a commissioner in a single country.

Emphasis mine:

Violent protests erupted over the soaring cost of fuel and [Kazakhstan’s] autocratic rule. President Kassym-Jomart Tokayev sacked his government and declared a state of emergency. Apparently on his orders, the largest telecom provider shuttered the internet to interrupt communications among the opposition’s ranks. When the web goes down, miners can’t communicate with the Bitcoin network. The “hash rate,” the random codes that win fresh awards of Bitcoin, collapses. A few hours into the outage, Larry Cermak of the crypto news and research site The Block tweeted that a full 12% of Bitcoin’s worldwide computational power had vanished. His data showed sharp declines for a number of producers with operations in Kazakhstan. The hash rates for AntPool, Poolin and Binance Pool all fell between 12% and 16%.

Blimey.

Facebook likely maintains shadow profiles of people with deleted accounts anyway, so I’d rather be able to affirmatively control what they’re doing with the data they have on me.

Does Facebook continue to collect/store data about us (from advertisers, Facebook Pixel etc) even if we don’t have a Facebook account?

We already know that Facebook continues to store data about deactivated accounts and unless anything has changed since this exchange, it seems likely they do.

What’s the legal basis for storing or collecting that data about someone through a shadow profile? This is the same thing that caused the furore around Clubhouse’s request to upload all your contacts.

I’ve submitted a subject access request to find out what they have on me, but I suspect that will be rejected.

What right do companies have to collect/store/process data about individuals – associated through an email address, phone number or other identifier – when the individual hasn’t interacted with that company or has deleted an existing account?

As part of a longer thread, Cory Doctorow tweeted:

After all, privacy is a team sport. I don’t use Gmail (my mail is on a standalone server that @orenwolf keeps at a data-center in Toronto, and I POP it every 60 seconds and move the mail offline to my encrypted laptop).

In some sense, none of my mail is in the cloud. In another sense, ALL of my mail is in the cloud, because EVERYONE I SEND MAIL TO is using Gmail or a handful of its competitors, all of whom mine that email for commercial surveillance purposes.

It’s pretty wild to think of it this way. We might take steps to protect privacy on email we receive, but email we send may be scanned/mined by the recipient’s email provider.

If that happens, what are the grounds to do this? Senders have no relationship with the recipient’s email provider and no way to know this is happening, let alone signal consent.

Scanning emails for security and spam prevention purposes is one thing. Using that data to feed surveillance capitalism is something else.

This isn’t definitely occuring, but if providers are mining user’s emails for advertising, it’s possible – likely, even – that this is not limited to emails that the user sends.

If this is happening, we arrive at a separate question: are email providers building profiles on people who don’t use the service? In theory, this could be tied to other data sources to match a data to a user through their email address.

Bearing all of this in mind, Doctorow’s positioning of privacy as a ‘team sport’ makes a lot of sense. Perhaps we have a responsibility not to use services like Gmail to protect the people we communicate with as well as ourselves.

Adalytics asked the advertiser how they felt about this situation, when they noted that their ad tech vendors had reported “gdpr=0” whilst many of the receiving users were clearly in the EU. The advertiser responded (in writing):

“I would be worried about my compliance risk as an advertiser. After all, my ads were shown and regulators will think I was in breach of privacy regulations. I had trusted the network to take care of all of this, like other basic things (e.g., verifying ads.txt entries). Their lack of basic diligence puts me in jeopardy. If the exchange is not doing basic checks for something so simple, you’d wonder what else they are not doing well, or at all, to protect advertisers from fraud and other issues.”

…

An EU citizen with a German IP address installs Google Chrome on their desktop for the first time. This new instance of Chrome is not logged into any accounts or emails, and has no cookies or local storage.

The user visits a wsj.com article, and is shown a consent banner.

Before this user has an opportunity to click on any specific consent icons or buttons, the user’s browser makes dozens of HTTP requests to third party domains, belonging to companies such as Google, Adobe, New Relic, Cxense, and The Trade Desk.

Many of these HTTP requests contain response headers that set tracking cookies in the user’s browser. For example, an HTTP request made to match.adsrvr.org sets a cookie in the user’s browser called “TDID”; this cookie is set to expire in 365 days.

…

This example with wsj.com and a German IP address user shows that several ad tech vendors are sending and receiving data, and storing cookies, without consent or legitimate interest. These patterns are observed even after the user has navigated through several pages on the wsj.com website post-consent selection.

This is quite something (emphasis my own):

I agree with my friends (and lawyers) at the ACLU: the US government’s indictment of Assange amounts to the criminalization of investigative journalism. And I agree with myriad friends (and lawyers) throughout the world that at the core of this criminalization is a cruel and unsual paradox: namely, the fact that many of the activities that the US government would rather hush up are perpetrated in foreign countries, whose journalism will now be answerable to the US court system. And the precedent established here will be exploited by all manner of authoritarian leaders across the globe.

You can also feel safe knowing we’ve built these subscriptions so that they only renew if you use Signal over the course of the month. Should you stop using Signal, or uninstall the app, they will be automatically cancelled after the next cycle, which helps eliminate the “dark pattern” of subscriptions you’ve forgotten about.

Perhaps the way all software subscriptions should run.

On the metaverse:

Take this quote from the WIRED article:

“If VR and AR headsets become comfortable and cheap enough for people to wear on a daily basis—a substantial ‘if’—then perhaps the idea of a virtual poker game where your friends are robots and holograms and floating in space could be somewhat close to reality.”

What an utterly clownish sentence. The substantiality of that ‘if’ is not ‘hey, maybe we’ll work this out,’ but ‘we are not even remotely close to doing this on a very basic level.’ If you’ve used an Oculus HTC, or Sony VR headset, or any other of the various bespoke VR experiences, you will know that they are janky, even if you can get the hardware to fit well.

…

The only reason people are giving this term the time of day is because Facebook (successfully) used it to distract from the larger conversation about how much they suck.

On Web3:

Every major influencer-investor - the ones that seemingly do not do anything other than post on Twitter and release 4-hour-long podcasts - has done some sort of 30-tweet thread about how web3 is the future of the economy, but also communities, and that is where the metaverse fits in. Confused? Well, they think you’re an idiot and they’re going to block you if you question it.

…

The idea, of course, is that “everybody wins” because the value of a token goes up, and“it’s decentralized and thus no big party wins,“ as long as you don’t think about who has the most tokens, who invested early, and who is or isn’t manipulating the price. The public lie is that you’re playing or participating because it’s a fun game, and because you want to “own your data,” but the reality is you’re trying to “invest” in a system that was built to monetize you.

According to the ANA and PwC, 70% of advertising dollars spent on online programmatic advertising never touch a human being. Of $200 billion in annual programmatic ad spend, $140 billion disappears in “ad fees, fraud, non-viewable impressions, non-brand-safe placements, and unknown allocations” (by “unknown allocations” you can read “shit that no one can figure out.”)

All of that tracking and surveillance for nothing.

Also features a funny story about Scotland:

At the time, when you arrived at an airport in Scotland, you were greeted by signs and posters announcing that you were visiting “The Best Small Country In The World.”

…

After spending $250,000 and six months, the new administration rolled out its exciting new slogan: “Welcome to Scotland”

On George Lucas’ writing tower:

I think this case study underscores the more general point that, for professional creatives, spending money to upgrade the aesthetics of your workspace is not just an exercise in expression, but is perhaps instead one of the best business investments you’ll ever make.