Early this month, Hayley Tsukuyama was talking to an American legislator about digital privacy. It’s one of the main topics of concern for the Electronic Frontier Foundation (EFF), where she works as a legislative activist.

The unnamed legislator was eager not just to learn more about threats to privacy, but to share a disturbing story.

This article is part of CoinDesk’s Privacy Week series.

The lawmaker had recently heard that Target, by using data gathered about the shopping habits of a teenage customer, had determined that she was pregnant. Target then sent flyers and coupons for maternity goods to the girl’s home – where her parents were shocked to learn the joyful news from a massive corporate retailer.

To many, this will sound more unlucky than strange. For better or worse, we’ve gotten used to both massive, omnipresent data gathering and the swirl of uncanny targeted advertising from social media companies, online retailers and assorted attention merchants.

But here’s the most notable thing about the Target story that so scandalized that lawmaker: It happened a full decade ago.

From Snowden to Cambridge Analytica

Tsukuyama’s conversation encapsulates our slow awakening to the challenges and risks of digital surveillance: We’re finally catching on to a problem that has been with us for a long time.

When Charles Duhig of the New York Times unmasked Target’s newfangled “data analytics” methods in 2012, they still seemed mysterious, novel, maybe even exciting. Tech companies like Facebook were enjoying a public honeymoon period, celebrated as the Next Big Thing in the American economy.

But that naïve optimism has been largely washed away by a slowly mounting “techlash,” as one controversy after another reveals just how much privacy we’ve lost to digital surveillance. An early turning point came in 2013, when Edward Snowden disclosed the National Security Agency’s illegal spying program. The outrage that followed showed that Americans were no longer fully on board for the antidemocratic government security measures that prevailed for the decade after 9/11.

Government spying wasn’t the only problem, and maybe not even the biggest one. Expert warnings about online surveillance date back as far as the mid-2000s – one of my own mentors, Mark Andrejevic, published an entire book on the subject in 2007. But the issue was abstract for many Americans until the presidential election in 2016.

“Cambridge Analytica served as a wakeup call and crystallized a lot of inchoate discontent,” said Jay Stanley, a privacy expert with the American Civil Liberties Union (ACLU). The U.K. firm allegedly misused Facebook data and systems on behalf of then-candidate Donald Trump.

“The fact that it was tied to the 2016 election was a shock,” Stanley continues. “It was a demonstration of how much actual power and potential power big tech companies have, and just how sloppy they can be with our privacy.”

The idea that Facebook helped hand the presidency to Trump was always something of a convenient dodge for the feckless Democratic Party – but it also drew attention to real problems that the company, a half-decade later, still hasn’t convincingly addressed. In fact, subsequent reporting only added to public outrage, for instance with findings that Facebook targeted users with negative content to drive clicks, despite its own research on the mental health harms of those practices.

Meanwhile, psychologists, sociologists and journalists have been uncovering even broader fallouts from the dizzying cocktail of surveillance and targeted advertising. Jean Twenge has documented the grim psychological effects digital echo chambers are having on teenagers. “The Age of Surveillance Capitalism,” written by no less an establishment figure than Harvard Business School professor Shoshana Zuboff, has become a touchstone for critics of platforms’ exploitative data hoarding.

This wave of revelations has sharpened public distrust of internet companies that collect user data. In 2014, 24% of Americans still believed they could be securely anonymous online, according to Pew Research Center. By 2019, fully 62% believed they could not escape monitoring by private companies, not just online, but in their broader daily lives.

In a December 2021 poll by the Washington Post, a whopping 72% of U.S. internet users said they trusted Facebook “not much” or “not at all” to handle their data responsibly. (Those sentiments help explain why Facebook’s parent company recently rebranded itself “Meta Platforms,” an evasion I try to avoid reinforcing.) Even Apple and Amazon, which performed best out of the companies in the survey, were distrusted by 40% of respondents.

There’s another index of privacy fears that is particularly emblematic of our era: the rise of conspiracy theories about digital surveillance. Tsukuyama of the EFF says she frequently talks to people certain that their smartphones or other devices are actively listening to their conversations and then delivering ads based on that spying. Tsukuyama and other third-party experts say that’s not true – but just because you’re paranoid, it doesn’t mean they’re not after you.

“Your phone’s not listening to you,” Tsukuyama says. “But what’s scary is that [companies] don’t have to listen. They can infer who you’re hanging out with, time of day, if you’re looking for stuff, your age, all these kinds of things, from your search history.

“They don’t need to listen to you – they just know anyway.”

Betting on the ‘techlash’

The EFF, ACLU and other organizations and activists have continued the hard democratic work of enshrining stronger privacy into law. But over the past few months, these fears have also bloomed into something Americans tend to be more enthusiastic about than major legal reform: a money-making pitch. This one is christened Web 3.

Web 3 is still ill-defined, capable of standing for almost any fantasy of the digital future. But a foundational pillar is the idea that blockchain-backed assets and decentralized data systems can help users regain control from big platforms like Facebook or YouTube.

It’s still unclear exactly how that might work, and figures like Twitter founder and Block CEO Jack Dorsey have alleged “Web 3” is just a hollow catch phrase promoted by venture capitalists. But however vague, the promises have generated a flood of media coverage and seized the attention of techies.

Even before Web 3, investment in privacy technology was rising steadily. According to Crunchbase, venture capital investments in “privacy and security” startups more than quintupled between 2011 and 2019, from $1.7 to $9.9 billion.

Those numbers exclude blockchain and crypto projects, but money is flowing into them, too – witness the recent $400 million infusion to the privacy-focused Secret Network. Crunchbase lists 207 privacy startups with $3.5 billion in funding raised, and an average founding date of October 2015. That makes them much younger than the average social media startup, founded in April 2009.

And there are strong signs of genuine user interest in privacy-oriented digital products and features.

DuckDuckGo, the search engine whose primary pitch is that it doesn’t track users, now reportedly has larger market share on mobile than Microsoft’s Bing (a low bar, but still). Interest in the decentralized and open-source social media network Mastodon has grown steadily in recent years, though actual user numbers are hard to come by.

Perhaps most notably, encrypted messaging apps Telegram and Signal grew dramatically in 2021.

Will financial surveillance face a reckoning?

Rising anxiety about data tracking may portend a similar shift on an issue more obviously relevant to blockchain and crypto projects: financial privacy.

Some “fintech” startups have helped to erode people’s financial privacy (I’m looking at you, Venmo). But the federal government has also been a major culprit, dating back at least to new international banking rules after 9/11.

And the Biden administration has accelerated the financial monitoring agenda to Ludicrous Speed.

In the summer of 2021, for instance, we saw a clumsy attempt to broaden reporting requirements for crypto wallet transactions, which generated such controversy that it briefly threatened Biden’s first big spending bill. That provision was rumored to have been promoted behind the scenes by Treasury Secretary Janet Yellen.

Yellen’s Treasury Department was behind an even more extreme proposal, which would have granted the Internal Revenue Service the right to monitor individual bank accounts with more than $600 in transfers per year. The universal surveillance measure was rationalized as a way to increase tax revenue, despite the fact that the wealthiest 1% of Americans are responsible for a vastly disproportionate share of missing revenue (and are unlikely to use personal U.S. bank accounts to hide their wealth). The provision’s threshold was raised to $10,000 in the face of pushback from Republicans and banks and was then ultimately withdrawn.

To its credit, the Biden administration did drop a sweeping proposal from its predecessor that would have required crypto exchanges to verify the identities behind crypto wallets their customers transacted with. Still, Yellen’s recurring case of legislative foot-in-mouth disease betrays a strange and disturbing openness to testing the boundaries of the right to privacy enshrined in the Fourth Amendment of the U.S. Constitution. Similar impulses have gone even further outside the U.S., as with India’s campaign to eradicate cash and China’s heavily surveilled “digital yuan.”

These top-down efforts to reduce the freedom to transact could end with the same kind of backlash to mainstream finance that has permanently tarred Facebook. It is tempting to argue that this is already underway – that the huge inflow of capital to cryptocurrency over the past two years was driven by real anxiety over rising financial controls.

But we all know that interpretation would be self-indulgent. While still potentially enhancing privacy for informed users, crypto has become largely unmoored from one of its clearest real applications, eroded by wave after wave of speculative manias in which rising numbers are all that really matter. Whether some of those speculators will pick up actual insights about data privacy as they throw a quadruple-leveraged long on Floki Inu Coin is, at best, uncertain.

Prospects for federal privacy regulation

There is a broader problem with focusing on products and services that enhance privacy, whether we’re talking about cryptocurrency or a OnePassword subscription: Not everyone can afford them. Even as anxiety over privacy continues to rise, a purely market-based approach would likely create a world in which your access to privacy depends on your ability to pay for it.

“That’s why we’re very much in favor of federal privacy legislation,” said Samir Jain, policy director for the Center for Democracy and Technology (CDT) “That legislation should have protections that don’t involve paying money, but are basic rights applying to everyone … regardless of your ability to pay.”

The prospects for privacy legislation at the federal level are surprisingly bright, according to Jain, especially given the partisan dysfunction that has reigned in Washington for going on two decades. “It’s a rare topic where there is a lot of bipartisan agreement,” he said. “There are Republican and Democratic proposals.”

At the state level, California, Colorado, and Virginia have enacted broad privacy regulations, some modeled on Europe’s data protection act, GDPR (General Data Protection Regulation). The appearance of a patchwork of state laws can sometimes make federal regulation nearly inevitable, as the regulated companies themselves eventually start wishing for simple uniformity. Unfortunately, according to many experts, companies often aim to subvert the process by proposing intentionally toothless legislation.

But there are models for effective federal regulation. At the minimum, good laws would limit what data companies can collect and retain to what they need for their operations and give the public the right to review data gathered about them. But there are more radical provisions on the table.

One of the most important would close a major loophole in data available to the federal government. There are, at least in theory, strict limits on the government’s freedom to surveil its citizens. The protections against “unreasonable search and seizure” in the Fourth Amendment were expanded and clarified by a 1967 Supreme Court case to include electronic communications. The Privacy Act of 1974, passed partly in response to abuses by the Central Intelligence Agency during its campaign of terror against the civil rights movement, further narrowed what the U.S. government can do with data about citizens.

“But the data brokers keep dossiers on everybody, and the government has contracts with the data brokers,” the ACLU’s Stanley said. “So it’s a complete end run around privacy protections.”

This end run is possible because of what’s known as the “third-party doctrine,” a U.S. legal standard according to which citizens can claim “no reasonable expectation of privacy” regarding any data voluntarily turned over to a third party. That includes banks, internet service providers, social media companies or effectively any other nongovernmental entity. One effect of the doctrine is that government agencies have the right to freely buy data about citizens that they would be prohibited from gathering directly without a court-issued warrant.

This nightmarish loophole has led to a variety of abuses, such as police departments buying license plate camera surveillance data from private firms. In April, a large and bipartisan group of U.S. senators introduced “The Fourth Amendment Is Not For Sale Act,” a bill to close the loophole.

That’s a genuine bright spot, and there’s more where that came from.

“I think American legislators are pregnant with privacy regulations,” Stanley said. “It’s not clear when they’ll give birth or what those will look like.”

Targeting targeted ads

But the truly nuclear solution to privacy is unlikely to ever catch on with Congress: banning targeted advertising.

“Advertising is what makes data worth money,” as Stanley succinctly puts it, what ultimately motivates much of the data gathering by private companies. It’s why Facebook prioritizes outrage over more positive feelings and why Instagram pummels teen girls with alluring but psychically toxic imagery. But a legal ban on programmatic advertising, or even heavy regulation of it, is extremely unlikely to gain traction in the U.S., the home of the world’s biggest data monetizers.

That brings us back to Web 3 – not the fantastical VC fable of infinite non-fungible token widgets, but a simpler and more grounded vision that merely integrates cheaper, automated, customizable payments into Web-based services.

In a best-case scenario, that would enable a much broader set of business models, instead of making so much of the web dependent on advertising – and, in turn, user data. It’s one scenario for the eventual decline of data hoarding as a business model.

However events unfold, Stanley said the rise of digital surveillance is a fast-moving “land grab” based on the ability of innovation to outpace regulation. If history is any lesson, norms and regulations will eventually catch up to this early wave of digital privacy looters.

“We saw this in the 18th century, even in Europe,” he says. “It was common for the monarchies to be reading everyone’s mail, and there was a lot of pushback on that. Over the decades and centuries, nearly every European country stopped doing that.”

“It can be very slow moving,” Stanley concluded. “But there’s a long arc towards privacy.”