this post was submitted on 25 Apr 2024
26 points (96.4% liked)

Privacy

31876 readers
365 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

Abstract

Consent plays a profound role in nearly all privacy laws. As Professor Heidi Hurd aptly said, consent works “moral magic” – it transforms things that would be illegal and immoral into lawful and legitimate activities. As to privacy, consent authorizes and legitimizes a wide range of data collection and processing.

There are generally two approaches to consent in privacy law. In the United States, the notice-and-choice approach predominates; organizations post a notice of their privacy practices and people are deemed to consent if they continue to do business with the organization or fail to opt out. In the European Union, the General Data Protection Regulation (GDPR) uses the express consent approach, where people must voluntarily and affirmatively consent.

Both approaches fail. The evidence of actual consent is non-existent under the notice-and-choice approach. Individuals are often pressured or manipulated, undermining the validity of their consent. The express consent approach also suffers from these problems – people are ill-equipped to decide about their privacy, and even experts cannot fully understand what algorithms will do with personal data. Express consent also is highly impractical; it inundates individuals with consent requests from thousands of organizations. Express consent cannot scale.

In this Article, I contend that most of the time, privacy consent is fictitious. Privacy law should take a new approach to consent that I call “murky consent.” Traditionally, consent has been binary – an on/off switch – but murky consent exists in the shadowy middle ground between full consent and no consent. Murky consent embraces the fact that consent in privacy is largely a set of fictions and is at best highly dubious.

Because it conceptualizes consent as mostly fictional, murky consent recognizes its lack of legitimacy. To return to Hurd’s analogy, murky consent is consent without magic. Rather than provide extensive legitimacy and power, murky consent should authorize only a very restricted and weak license to use data. Murky consent should be subject to extensive regulatory oversight with an ever-present risk that it could be deemed invalid. Murky consent should rest on shaky ground. Because the law pretends people are consenting, the law’s goal should be to ensure that what people are consenting to is good. Doing so promotes the integrity of the fictions of consent. I propose four duties to achieve this end: (1) duty to obtain consent appropriately; (2) duty to avoid thwarting reasonable expectations; (3) duty of loyalty; and (4) duty to avoid unreasonable risk. The law can’t make the tale of privacy consent less fictional, but with these duties, the law can ensure the story ends well.

top 15 comments
sorted by: hot top controversial new old
[–] [email protected] 7 points 6 months ago* (last edited 6 months ago) (1 children)

So this type of consent is something like "you don't need consent to do basic data processing because consents are not real"? Bruh what's up with all the horrifying ideas recently?

EDIT: the upvote rate of this post makes my miserable hope for humanity even lower

[–] [email protected] 0 points 6 months ago (1 children)

As I understand, it wants a third consent option, that's what it calls "murky consent", that would only allow very basic and very minimal data processing rights. For example it would not allow usage based on "legitimate interest".

[–] [email protected] 4 points 6 months ago (1 children)

Still it is data collection without my consent. What if I open the website accidentally for example? That concept is no more than enshittification to me. Better do something with the data sharing (like limit it and implement severe punishments for the violations) on the law level

[–] [email protected] 1 points 6 months ago (2 children)

That's the neat part. With this they would only be allowed to collect data that's technically absolutely necessary. No legitimate interests and whatever bullshit. This is for those who only want to give their "consent" because other people are making them use the system.

This of course won't solve trust issues. I won't trust facebook and google because of it, that they will honor it. They can do whatever they want in ways that never will get to known. But I don't think that's solvable with big central providers.

[–] [email protected] 3 points 6 months ago* (last edited 6 months ago) (1 children)

I think that consent is necessary. ANY data processing without consent should be illegal, even if you're not able to use the system without it. It's a matter of human rights.

[–] [email protected] 2 points 6 months ago (1 children)

I agree. But this is a third option, not one to replace the "deny" option. Or did I misunderstand it?

[–] [email protected] 1 points 6 months ago (1 children)

Idk what you mean. As I understood it's definitely one to replace the "deny"

[–] [email protected] 2 points 6 months ago (1 children)

The article complains that the decision right now is just an on/off switch. If this would be a replacement, that would not change.

[–] [email protected] 1 points 6 months ago* (last edited 6 months ago) (1 children)

As I understood they proposed replacing on/off with all/basic_only. That is bad because I have the right not to give any data, especially if I visit the website accidentally. It may not make much actual sense for most people but I'm really serious about my rights

[–] [email protected] 3 points 6 months ago

If they really want to replace "off" with "basic_only", I totally agree with you. "off" is a must have option, partly as you say for accidental visits, and for when you just visited but reading their policy made you leave the site, to keep it that way that data collection can only start when the user presses the agree button.

[–] [email protected] 1 points 6 months ago (1 children)

Who defines what is "absolutely necessary"?

I guarantee none of these blinkered philistines would like my definition.

[–] [email protected] 3 points 6 months ago (1 children)

Disallowing anything based on "legitimal interest" would be a huge step already. As I know, that's how companies get away with stalking.

[–] [email protected] 1 points 6 months ago (1 children)

The problem is that there's no clear definition of "legitimate interest". You may argue that Google has a "legitimate interest" about every part of your life, because they do, so that they can sell your data. Legitimate interest.

The way I see this today can only be defined as "legally stealing". They take our data without our knowledge and use it however they want because they own it the moment they take it from us, but there's no legal threat to them, thus "legally stealing".

[–] [email protected] 2 points 6 months ago

I wanted to mean legitimal interest in the way the GDPR uses it. Often datamining is put under that reason in privacy policies.

[–] [email protected] 3 points 6 months ago

I like the Dutch consent form for body donation. You can just checkmark what you're ok with and what not. I don't know all the details but I expect that it'll be used responsibly.

I think we can all agree that that's an important topic. Why can't we do that for other, often less important, things too?

Like sure, access my diary if your research is supported by a board but not for security purposes unless you have a warrant.