Creating multilateral privacy solutions: Is the GDPR actually helping?

August 24, 2022 / Alex LintonPrivacy

Dubious claims about technology that can 🙏save us all🙏 have often plagued the privacy tech space. It's understandable, digital privacy is (seemingly) a technological problem, so it stands to reason that it should have a tech solution, right? Well, the issues run a bit deeper than that — the entire business model of the internet is at odds with privacy, after all. The solutions are likely to be radical and complex — requiring a hard-to-wrangle combination of tech, regulation, and culture. 

Every tech company and their intern has tried to argue that they can (and will) 'solve' the privacy problem using some combination of encryption, advanced security techniques, and vague claims about online safety. Honestly, it's usually marketing nonsense designed to soften people up and alleviate their concerns about mass surveillance and data brokerage. 

Evidently, Session...also talks about all of these things, so you might be thinking, 'Alex, why did you open this article with a hundred words of self-own?' Well, as much as a lot of tech is LARPing privacy preservation, Session is the real deal — and tech definitely is a big part of the future of privacy. Session is part of a wider movement whose goal is to achieve robust protection of everyone's privacy rights — and the safety, security, and other human rights protections that come along with privacy. Actually achieving that outcome is complicated and almost certainly requires a multilateral approach with contributions from more than just the tech industry itself. Like I said earlier, tech will obviously need to make a huge contribution to solving this issue.

Zuckerberg's 2021 post outlining his vision for the privacy-focused future of social networking actually did provide a pretty good framework for what we should try to create and provide for people. Private interactions, encryption, reducing permanence, safety. Excellent! Of course, Facebook's actual commitment to achieving these noble goals is about as solid as an atheist at Sunday service. Not every tech company is playing ball when it comes to digital privacy, but that's okay — that's why we've got regulation, right? 

Now that the infamous GDPR has well and truly established itself, many countries have followed suit — and now over 100 countries have some kind of legislation protecting data and privacy. Impressive, right? Well, not really — clearly privacy us still a huge, huge issue. 

Unfortunately, regulation comes with some serious drawbacks — it's really hard to strike a balance between toothless regulation that achieves nothing and overbearing regulation that stifles progress and innovation. The crown jewel of privacy regulation is without a doubt the GDPR. Although the GDPR is specific to the European Union, it is a mammoth piece of legislation and has changed the way that companies handle personal data all across the world. It's so complex and impactful that people will make entire careers out of just knowing a lot about this specific piece of regulation. 

There are still some serious problems, though. While the GDPR might be well-meaning, it doesn't necessarily serve its purpose all of the time. In 2019, researchers found they were actually able to abuse the GDPR's 'Right of Access' to obtain and expose people's personal data. Just using information shared on social media, the researchers were able to obtain personal data from 8 out of 55 organisations using a right of access request. 

Some further shenanigans with photoshopping ID cards raised that number to 15 out of 55 organisations, or 27 per cent. These are some extremely concerning figures and while these organisations are doing their best to comply with the processes as they are set out in the GDPR — doing so gives malicious attackers the potential to obtain data using simple social engineering.

Follow-up research from the same group of researchers actually found that this issue had gotten worse since the original study in 2019, as more organisations worked to comply with data requests under the GDPR. It's...a bit of a nightmare. 

What all of this points to is a larger, systemic issue with the way that we approach and conceive of privacy. Privacy isn't simple, linear, or binary — not even close. Unfortunately, a lot of the time regulation such as the GDPR can't help but see things in black and white—it's the law, after all—when there is a lot more nuance that needs to be taken into account in order to craft successful legislation. The bottom line is, much as one piece of tech can't deliver us from the evils of the privacy-violating tech landscape, the GDPR is also long way away from being our saviour.

As always, there is a lot of work that needs to be done when it comes to privacy. These are systemic issues, and our framework for imagining solutions has flaws that will prevent us from getting real, sustainable progress in the future. But the mission is clear, and together we will build a more private future for everyone.

Join the movement to keep the internet private!

Chat with like-minded individuals in the Session Open Group Channel.

Friends don’t let friends use compromised messengers.

Sign up to the mailing list and start taking action!