Alice and Bob are the primary characters in a cast of characters first used in cryptographic circles as placeholder names to represent different parties in a transaction. The story goes like this:
Alice wants to send a message to Bob, but she doesn’t want anyone but Bob to be able to read it. Bob also doesn’t want anyone to read his messages to Alice. They do this by securely exchanging special ‘keys’ to exchange documents and data.
The utility of privacy policies
Does it really make sense to think of Google, YouTube or Facebook as Alice’s “peer” in the way that Alice and Bob are peers for exchanging cryptographic keys? Obviously not. There is a serious power imbalance between this Alice and this Bob. It would really be better to think of these relationships as between Alice and Bob Company or BobCo (or even EvilBobCo). The nature of this imbalance, combined with the dependence of these web sites on advertising for revenue, creates a natural motivation for designers to use 'dark patterns' to ensure that users stay on the sites by whatever means necessary.
As a result of this imbalance, facilitated by dark designs, BobCo is able to sell Alice’s data, or access to Alice’s web page when she is on Bob’s site, to Charlie who in turn can make Alice’s information available to as many organizations as are interested in that data. This uncontrolled trade in data and almost complete lack or respect for Alice’s privacy or Alice as a person is the basis for the current business model of the Internet and what is meant by the phrase, “If you’re not the customer, you are the product”. Thousands of companies are competing for the chance to process your data, probably unbeknownst to you.
And, by the way, individually you are not that valuable a product. In 2019, Facebook reported over $69 billion in global advertising revenue. But when calculated on a per user basis that translates to less than $30. So your entire years worth of Facebook viewing and clicking is worth $30 to Facebook. At that price, you have little or no leverage to influence any of Facebook’s policies or attitudes. You and Facebook are not equals in the relationship.
Personal Data Value Chain
So Alice and Bob are not equals. And the structure of the relationship between users and services encourages the extraction and monetization of personal data without meaningful consent. This is not a trade-off of service for a value that most people would make if they thought that they had a choice. This is the so-called “Tradeoff Fallacy”. It’s been known since at least 2009, for example, that Americans reject tailored advertising when it is explained to them. Until Alice can monitor and control what happens to her data, she cannot hold Bob accountable and the exploitation of her data will continue.
There is work being done to address this situation. In the Kantara Initiative, the User-Managed Access Work Group has released the UMA protocol extending OAuth’s capability to enable Alice to control who has access to her resources. Similarly, Kantara has produced a consent receipt specification to enable accountability and transparency in consent. The Vendor Relationship Management project (ProjectVRM) has sparked or inspired dozens of companies or initiatives to empower users in the commercial space, including the Me2B Alliance. MyData Global is an NGO dedicated to the proposition that a person should be at the centre of their own data. The JLINC protocol is an open protocol that will enable Alice to do exactly the kind of monitoring and have the kind of control over her data that is missing.
In the meantime, the next time you read about Alice and Bob, think about the context and draw your own conclusion about the nature of that relationship. Most of the time, I suspect, you will find that it is Alice and BobCo/EvilBobCo and that whether Bob is evil or not, Alice has no power.
Bob is a bully and needs to be stopped.