Read the Blog

The illusion of online privacy

Apathy, cost, ignorance or only cleaning house when the regulations are enforced?

Various UK government sites make use of intrusive tracking technologies and fail to implement privacy measures required by the law, including that of the UK information commissioner themselves! I have been emailing both the ICO and the UK Government to get them to confirm why they are leaking my personal data and everyone else who visits their sites to hundreds of third party companies, mainly involved in the online advertising ecosystem.

As far as I understand the Real Time Bidding (RTB) system is incompatible with GDPR, but as an entrenched system, targeted advertising using personal data without any legal basis is going to take a while to go away.

One of the big problems is that the RTB is a closed system, and vague privacy policies mean that people do not know what is happening to their personal data. The businesses that are the data controllers lose control of their data (which they are obliged to protect), which is then built into profiles connecting up many other data sources, exploiting the mosaic effect to de-anonymise real people. Obviously for targeted advertising to be most effective, more data points makes for better results – but at what cost?

This is the use of personal data, often including “special category” data like health records, with no consent, no control, little regulation and against the law.

On my quest to get answers, the ICO and UK Government have told me that due to budget constraints they use “free” software for analytics and advertising, and are seemingly unaware that they using personal data as the currency to pay for these “free” software services. This is not what we want to hear from the body responsible for policing exactly this behaviour for the whole country – it’s straightforward ignorance and incompetence.

I am often told my data is anonymised, but in practice that is actually hard to do, so I have asked for more details of this anonymisation process, which again typically implemented using “free” services provided by the very companies that I would like to keep personal data away from. 

There is such a glaring conflict of interest for companies who make their billions from collecting and analysing personal data for targeting advertising and swinging elections and also being the software creators who claim to render the data useless. We have seen Facebook making “end-to-end encryption” claims for WhatsApp, all the while uploading unencrypted message content outside that encrypted connection. When Google acquired DoubleClick, they promised that identifiable data would never be accessible to advertisers – that lasted a few months, and then advertisers were allowed to see everything. Google and Facebook in are actively trying to gaslight the definition of privacy as “sharing with anyone except us”. These companies simply cannot be trusted.

There are dark patterns in common use – witness all those awful, disingenuous cookie consent popups that obfuscate, trick, and outright lie about their purpose and function, despite the fact that GDPR says about gaining consent “Any element of inappropriate pressure or influence which could affect the outcome of that choice renders the consent invalid”, for example this revolting pop-up from TrustE:

This continuing widespread abuse reflects the absence of effective enforcement. Most businesses are not going to self-regulate as there is a cost, and many are just not aware that their processes are illegal, mostly because they are so blatantly misled by bodies like the IAB.

Checking websites for third party elements, cookie use, security settings and headers, and other obvious features of rudimentary GDPR compliance is simply a case of pasting their URLs into checking websites. This information and a privacy policy are really the only externally visible insights into a company’s approach to security and privacy. Privacy policies often say they will “take data protection seriously” but the giveaways for poor governance are the use of vague terms such as “we may share your data with selected third parties”, the use of inappropriate cookie popups, and the ridiculous number of third parties plugged into their web sites. 

Many companies will not tell you the physical local of the data, who has access and how they keep your data safe – data protection impact assessments are sometimes done, but companies are often reluctant to share them. Security is a living thing, an ongoing arms race with hackers that requires perpetual vigilance to avoid systems being compromised and data exposed – myriad data breaches are witness to how common this is, even amongst companies that have sufficient resources to do this right.

Privacy sits on top of data protection & security; without security, there is no privacy. Around the world there are different laws to keep data protected (many based on the wonderfully prescient EC convention 108) but some come from very different philosophies. In the EU, data privacy is enshrined into laws and culture but in the US, personal data is a commodity to be traded for profit. This represents a fundamental incompatibility, and despite the existence of band-aid fudges like privacy shield, you can expect future court cases and fines to clarify the situation but for now the big data and advertising industries are doing their best to slow down the inevitable day of reckoning.

In our little corner of the web at, we’re trying to be different. You’ll find no trackers, no stray cookies, no third parties, but strong principles, compliance with the spirit, not just the letter of the law, solid security, clarity and transparency in our actions, all underlying straightforward services that you pay for with old fashioned money, not personal data.